A logic error in the core upload module validation allowed
unprivileged users to attach files to content. Users can view files
attached to content which they do not otherwise have access to.
If the core upload module is not enabled, your site will not be
affected.
A deficiency in the user module allowed users who had been blocked
by access rules to continue logging into the site under certain
conditions. If you do not use the 'access rules' functionality in core,
your site will not be affected.
The BlogAPI module does not implement correct validation for
certain content fields, allowing for values to be set for fields which
would otherwise be inaccessible on an internal Drupal form. We have
hardened these checks in BlogAPI module for this release, but the
security team would like to re-iterate that the 'Administer content
with BlogAPI' permission should only be given to trusted users.
If the core BlogAPI module is not enabled, your site will not be
affected.
A weakness in the node module API allowed for node validation to be
bypassed in certain circumstances for contributed modules implementing
the API. Additional checks have been added to ensure that validation
is performed in all cases. This vulnerability only affects sites using
one of a very small number of contributed modules, all of which will
continue to work correctly with the improved API. None of them were
found vulnerable, so our correction is a preventative measure.