It was reported [1] that Drupal core 6.x versions prior to 6.34, and Drupal core 7.x versions prior to 7.34 have session hijacking vulnerability. A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session. This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode"), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7. [1]: https://www.drupal.org/SA-CORE-2014-006
Created drupal7 tracking bugs for this issue: Affects: fedora-all [bug 1166249] Affects: epel-all [bug 1166250]
Created drupal6 tracking bugs for this issue: Affects: fedora-all [bug 1166246] Affects: epel-all [bug 1166247]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.