It was reported  that Drupal core 6.x versions prior to 6.34, and Drupal core 7.x versions prior to 7.34 have session hijacking vulnerability.
A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.
This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode"), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.
Created drupal7 tracking bugs for this issue:
Affects: fedora-all [bug 1166249]
Affects: epel-all [bug 1166250]
Created drupal6 tracking bugs for this issue:
Affects: fedora-all [bug 1166246]
Affects: epel-all [bug 1166247]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.