Cross-site request forgery in Drupal - CVE-2013-6385
Published: September 15, 2016
Vulnerability identifier: #VU453
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2013-6385
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote user to perform cross-site request forgery attack.
The weakness exists due to improper functionality of form API validation preventing CSRF. The form carrying out unsafe operations will expose the system to cross-site request forgery attacks.
Successful expliation of the vulnerability allows attackers to conduct CSRF.
The weakness exists due to improper functionality of form API validation preventing CSRF. The form carrying out unsafe operations will expose the system to cross-site request forgery attacks.
Successful expliation of the vulnerability allows attackers to conduct CSRF.
How to mitigate CVE-2013-6385
Update 6.x to 6.29.
https://www.drupal.org/drupal-6.29-release-notes
Update 7.x to 7.24.
https://www.drupal.org/drupal-7.24-release-notes
https://www.drupal.org/drupal-6.29-release-notes
Update 7.x to 7.24.
https://www.drupal.org/drupal-7.24-release-notes