Cross-site request forgery in Drupal - #VU551
Published: September 20, 2016
Vulnerability identifier: #VU551
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability increases attacker's possibility to perform cross-site request forgery attack.
The weakness exists due to improper work of the aggregator module. Availability of items of certain RSS feeds may lead to its deleting and cause CSRF.
Successful exploitation of the vulnerability may result in CSRF attack.
The weakness exists due to improper work of the aggregator module. Availability of items of certain RSS feeds may lead to its deleting and cause CSRF.
Successful exploitation of the vulnerability may result in CSRF attack.
Remediation
Update 4.7.x to 4.7.11.
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz
Update 5.x to 5.6.
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz
Update 5.x to 5.6.
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz