Cross-site request forgery in Drupal - #VU559
Published: September 20, 2016
Vulnerability identifier: #VU559
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote user to perform cross-site request forgery attack.
The weakness is caused by improper use of the Forms API, or taking action solely on GET requests. After tricking he victim into visiting specially crafted URL(s), attackers can delete comments or content revisions and disable menu items.
Successful exploitation of the vulnerability enables a malicious user to conduct cross-site request forgery.
The weakness is caused by improper use of the Forms API, or taking action solely on GET requests. After tricking he victim into visiting specially crafted URL(s), attackers can delete comments or content revisions and disable menu items.
Successful exploitation of the vulnerability enables a malicious user to conduct cross-site request forgery.