Cross-site request forgery in Drupal - #VU578
Published: September 21, 2016
Vulnerability identifier: #VU578
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote user to perform cross-site request forgery attack.
The weakness is caused by improper access control. After tricking the victim into visiting specially crafted URL(s), attackers can change passwords, post PHP code or create new users.
Successful exploitation of the vulnerability enables a malicious user to conduct CSRF attack.
The weakness is caused by improper access control. After tricking the victim into visiting specially crafted URL(s), attackers can change passwords, post PHP code or create new users.
Successful exploitation of the vulnerability enables a malicious user to conduct CSRF attack.
Remediation
Update 4.6.x to 4.6.10.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz
Update 4.7.x to 4.7.4.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.6.10.tar.gz
Update 4.7.x to 4.7.4.
http://ftp.osuosl.org/pub/drupal/files/projects/drupal-4.7.4.tar.gz