Drupal’s David Rothstein has announced the availability of Drupal 7.27 and Drupal 6.31. The latest versions fix a moderately critical information disclosure vulnerability.
A CVE identifier is being requested for the security hole. In the meantime, Drupal refers to it as SA-CORE-2014-002.
“When pages are cached for anonymous users, form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time,” the advisory reads.
The flaw impacts multi-step Ajax forms, but it’s mitigated by the fact that these forms are not exposed to anonymous users by default.
The update introduces some API changes, which means that web developers might have to update their code if their websites expose Ajax or multi-step forms to anonymous users, or if forms are displayed on pages that are cached.
Drupal 6.x and 7.x are affected. Daniel F. Kudwien, Rodionov Igor, Ryan Szrama, Roman Zimmermann and znerol have been credited for reporting the vulnerability.
Drupal customers are advised to update as soon as they can. You can download Drupal, the latest versions, from Softpedia.