According to the Wednesday advisory, the open source content management system (CMS) was vulnerable to a “critical” Form API access bypass vulnerability in version 6 that could allow an attacker to submit input associated with buttons that only an administrator should be able to access.
The security team also patched six moderately critical vulnerabilities.
One of the moderately critical flaws was a “file upload access bypass and denial of service” issue that affected versions 7 and 8 and could allow an attacker to view, delete, or substitute a link to a file that the victim has uploaded to a form, the advisory said.
The remaining three vulnerabilities were rated “less critical” and included an issue affecting versions 7 and 8 that could allow email addresses to be matched to a user's account.
Drupal recommended that users update their systems to Drupal 6.38, 7.43, or 8.0.4.
The advisory also marks the last security patch that will be offered for Drupal 6, which has reached its end-of-life. Drupal said it is working with a few vendors that will to provide paid support for version 6 websites.