Drupal Core 4.6.x Form Action Attribute Injection (4.6.0 - 4.6.9)

Description
  • Drupal Core is prone to a form action attribute injection vulnerability because it fails to properly verify user-supplied input. An attacker may leverage this issue to redirect Drupal form submissions to a third-party site under his control, thus gaining access to sensitive information such as e-mail addresses and possible other private profile data. Drupal Core versions 4.6.x ranging from 4.6.0 and up to and including 4.6.9 are vulnerable.
Remediation
  • Update to Drupal Core version 4.6.10 or latest
References