Cross-site request forgery in Drupal

#VU6109 Cross-site request forgery in Drupal

Published: 2017-03-17

Vulnerability identifier: #VU6109

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-6379

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description

The vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability exists due to certain administrative forms do not have protection against CSRF attacks. A remote attacker can create a specially crafted website, trick the logged-in administrator to visit it and disable some blocks on affected website.

Successful exploitation of the vulnerability requires knowledge of block identifier.

Mitigation
Update to version 8.2.7.

Vulnerable software versions

Drupal: 8.2.0 - 8.2.6, 8.1.0 - 8.1.10, 8.0.0 - 8.0.6

External links
http://www.drupal.org/SA-2017-001

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Three vulnerabilities in Drupal