Incorrect cache handling made private content viewed by "user 1" exposed to other, non-privileged users (CVE-2015-3231).
A flaw in the Field UI module made it possible for attackers to redirect users to malicious sites (CVE-2015-3232).
Due to insufficient URL validation, the Overlay module could be used to redirect users to malicious sites (CVE-2015-3233).
The OpenID module allowed an attacker to log in as other users, including administrators (CVE-2015-3234).