Drupal 7.18 and Drupal 6.27 have been released. Both of them are security releases meant to fix a number of vulnerabilities.
The updates address a couple of access bypass vulnerabilities and one arbitrary PHP code execution flaw. The security holes are considered to be moderately critical and they’re all remotely exploitable.
The first access bypass vulnerability, which affects the user module search, allows blocked users to appear in search results even if the results are viewed by an unprivileged customer. The issue impacts both Drupal 6.x and Drupal 7.x.
The second access bypass bug allows information about uploaded files to be displayed in RSS feeds and search results even for users who don’t have the “view uploaded files” permission. The problem impacts only Drupal 6.x customers.
The arbitrary PHP code execution can be exploited by a malicious user to name a file so that it bypasses the munging of the filename in the CMS’s input validation.
Users are advised to immediately apply these latest updates in order to fix the security problems.
Drupal is available for download here