Executive Summary: the Drupal Security Team has released a Critical, pure security update. No other bug fixes have been released.  The Drupal Core 6.20 or prior and 7.0 are impacted.

Technical Details: the core Drupal was discovered to be vulnerable to Access bypass and a Cross Site Scripting vulnerability.

Specific information PER Drupal:

Multiple vulnerabilities and weaknesses were discovered in Drupal [and] Reflected cross site scripting vulnerability in error handler.

A reflected cross site scripting vulnerability was discovered in Drupal's error handler. Drupal displays PHP errors in the messages area, and a specially crafted URL can cause malicious scripts to be injected into the message. The issue can be mitigated by disabling on-screen error display at admin/settings/error-reporting. This is the recommended setting for production sites. This issue affects Drupal 6.x only.

Cross site scripting vulnerability in Color module: when using re-colorable themes, color inputs are not sanitized. Malicious color values can be used to insert arbitrary CSS and script code. Successful exploitation requires the "Administer themes" permission. This issue affects Drupal 6.x and 7.x.

Access bypass in File module: when using private files in combination with a node access module, the File module allows unrestricted access to private files. This issue affects Drupal 7.x only.

Recommendation: backup your site and update immediately to the either 6.21 (or later) or if you are using 7.xx update to 7.1 (or later)

Source: http://Drupal.org/node/1168756