Cross-site request forgery in Drupal - CVE-2015-6660
Published: September 14, 2016
Vulnerability identifier: #VU429
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2015-6660
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote user to perform cross-site request forgery.
The weakness is caused by unsufficient input checking. Attackers can upload temporary malicious files under the account of another user.
Successful exploitation of this vulnerability may result in CSRF conducting.
The weakness is caused by unsufficient input checking. Attackers can upload temporary malicious files under the account of another user.
Successful exploitation of this vulnerability may result in CSRF conducting.
How to mitigate CVE-2015-6660
Update 6.x to 6.37.
https://www.drupal.org/drupal-6.37-release-notes
Update 7.x to 7.39.
https://www.drupal.org/drupal-7.39-release-notes
https://www.drupal.org/drupal-6.37-release-notes
Update 7.x to 7.39.
https://www.drupal.org/drupal-7.39-release-notes