From the Mageia bug report:
Multiple vulnerabilities were fixed in the supported Drupal core versions
* A reflected cross-site scripting vulnerability (XSS) was identified in
causing it to insert HTML into the page when the intended behavior is to select
DOM elements. Multiple core and contributed modules are affected by this issue.
* A vulnerability was identified that exposes the title or, in some cases, the
content of nodes that the user should not have access to.
* Drupal core provides the ability to have private files, including images. A
vulnerability was identified in which derivative images (which Drupal
automatically creates from these images based on "image styles" and which may
differ, for example, in size or saturation) did not always receive the same
protection. Under some circumstances, this would allow users to access image
derivatives for images they should not be able to view.