Updated drupal packages fix security vulnerabilitiesPublication date: 27 Mar 2015
Affected Mageia releases : 4
CVE: CVE-2015-2559 , CVE-2015-2749 , CVE-2015-2750
Password reset URLs can be forged under certain circumstances, allowing an attacker to gain access to another user's account without knowing the account's password (CVE-2015-2559). Under certain circumstances, malicious users can construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks. In addition, several URL-related API functions in Drupal 6 and 7 can be tricked into passing through external URLs when not intending to, potentially leading to additional open redirect vulnerabilities (CVE-2015-2749, CVE-2015-2750).