Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vectors.
The information has been provided by Daniel F. Kudwienm, Rodionov Igor, Ryan Szrama, Roman Zimmermann, znerol _at_ drupal.org.
* Drupal core 6.x versions prior to 6.31.
* Drupal core 7.x versions prior to 7.27.
* If you use Drupal 6.x, upgrade to Drupal 6.31
* If you use Drupal 7.x, upgrade to Drupal 7.27
Drupal's form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.
When pages are cached for anonymous users (either by Drupal or by an external system), form state may leak between anonymous users. As a consequence there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e. the time span between user input and final form submission) is indeterminable.
This vulnerability is mitigated by the fact that Drupal core does not expose any such forms to anonymous users by default. However, contributed modules or individual sites which leverage the Drupal Form API under the aforementioned conditions might be vulnerable.