Main Vulnerability Database Vulnerabilities #VU544

Cross-site request forgery in Drupal - #VU544

Published: September 19, 2016 / Updated: September 20, 2016

Vulnerability identifier: #VU544

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Drupal

Affected software:
Drupal

Detailed vulnerability description

The vulnerability exposes remote user's possibility to perform cross-site request forgery attack.
The weakness exists due to improper request checking. Attackers can trick the victim into visiting specially crafted page or site that leads to translated strings and OpenID identities deletion and causes cross-site request forgery.
Successful explitation of the vulnerability may result in CSRF.

Remediation

Update 5.x to 5.8.
http://ftp.drupal.org/files/projects/drupal-5.8.tar.gz
Update 6.x to 6.3.
http://ftp.drupal.org/files/projects/drupal-6.3.tar.gz

Sources

https://www.drupal.org/node/280571

Cross-site request forgery in Drupal - #VU544

Detailed vulnerability description

Remediation

Sources

Please verify you're human