drupal: multiple issues

• CVE-2015-2559 (access bypass)

Password reset URLs can be forged under certain circumstances, allowing
an attacker to gain access to another user’s account without knowing the
account’s password.
In Drupal 7, this vulnerability is mitigated by the fact that it can
only be exploited on sites where accounts have been imported or
programmatically edited in a way that results in the password hash in
the database being the same for multiple user accounts.

• None (open redirect)

Under certain circumstances, malicious users can use the destination URL
parameter to construct a URL that will trick users into being redirected
to a 3rd party website, thereby exposing the users to potential social
engineering attacks.