According to Drupal Community, Drupal 7.27 and 6.31 were released on April 17, 2014 which contain fixes for security vulnerabilities.
Sites are urged to upgrade immediately after reading this security announcement.
- News and announcements : https://drupal.org/drupal-7.27
- Drupal 7.27 release notes : https://drupal.org/drupal-7.27-release-notes
- Drupal 6.31 release notes : https://drupal.org/drupal-6.31-release-notes
- Security details from Drupal Security Team : https://drupal.org/SA-CORE-2014-002
Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.
When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.
This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.
If you are facing any problem in upgrading Drupal for this security upgrade, please feel free to share here for discussion.