drupal7: Multiple vulnerabilities (CVE-2016-9449, CVE-2016-9450, CVE-2016-9451, CVE-2016-9452)
CVE-2016-9449: Inconsistent name for term access query
CVE-2016-9450: Incorrect cache context on password reset page
CVE-2016-9451: Confirmation forms allow external URLs to be
injected
CVE-2016-9452: Denial of service via transliterate mechanism
Affected versions:
Drupal core 7.x versions prior to 7.52
Drupal core 8.x versions prior to 8.2.3
Solution:
If you use Drupal 7.x, upgrade to Drupal core 7.52
If you use Drupal 8.x, upgrade to Drupal core 8.2.3
Reference:
https://www.drupal.org/SA-CORE-2016-005
(from redmine: issue id 6491, created on 2016-11-25, closed on 2016-12-15)
- Relations:
- child #6492 (closed)
- child #6493 (closed)