Security update for Drupal CMS
The developers of the Drupal CMS have released versions 5.8 and 6.3, which close cross-site scripting, cross-request forgery, and SQL injection holes. In particular, the OpenID module contains XSS vulnerabilities that attackers could exploit to steal login data. Users who cannot upgrade to the new versions are advised to install the patches for Drupal 5.7 or 6.2.
See also:
- SA-2008-044 - Drupal core - Multiple vulnerabilities, Drupal security advisory
- SA-2008-044 - SA-2008-045 - OpenID - Multiple vulnerabilities, Drupal security advisory
(trk)