14 DAY TRIAL // Drupal 7.26 and 6.30 have been released. The latest versions don’t contain any new features or functionality bug fixes. Instead, they address a few security holes, including one that’s been catalogued as being highly critical.
This highly critical vulnerability was found in the OpenID module. It can be exploited by an attacker to impersonate other users on the website, including administrators, and take over their accounts.
The attack only works if the victim has an account with an associated OpenID identity, and if the attacker has an account or is able to create one.
Another flaw, an access bypass issue, can be leveraged, under certain circumstances, to access content that hasn’t been published, or one that users have no permission to see. This vulnerability is considered moderately critical.
Drupal 7.26 and 6.30 also come with some security improvements to the form API.
You can download Drupal from Softpedia.