Source: IOActive Labs Research: Drupal – Insecure Update Process

Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.

Issue #2: An attacker may force an admin to check for updates due to a CSRF vulnerability on the update functionality

Issue #3: Drupal security updates are transferred unencrypted without checking the authenticity, which could lead to code execution and database access.