The Drupal team issued an update to fix a flaw that allows attackers reset password by crafting URLs under certain circumstances. The vulnerabilities affect Drupal 6.x versions prior to 6.35 and Drupal 7.35. The vulnerability is also exploitable by attackers if the website administrators create multiple new user accounts with the same password, or if the password hash field in the database is empty. The second flaw is an Open redirect vulnerability, the attackers manipulate the destination parameter to exploit the open redirect vulnerability.”]
Source: https://securityaffairs.co/wordpress/35089/hacking/drupal-flaws.html