Description

Drupal Core is prone to a form action attribute injection vulnerability because it fails to properly verify user-supplied input. An attacker may leverage this issue to redirect Drupal form submissions to a third-party site under his control, thus gaining access to sensitive information such as e-mail addresses and possible other private profile data. Drupal Core versions 4.7.x ranging from 4.7.0 and up to and including 4.7.3 are vulnerable.

Remediation

Update to Drupal Core version 4.7.4 or latest

References

https://www.drupal.org/node/88829

Related Vulnerabilities

Apache Tomcat Improper Handling of Exceptional Conditions Vulnerability (CVE-2021-30639)

Microsoft SQL Server Other Vulnerability (CVE-2000-0654)

Drupal 7PK - Security Features Vulnerability (CVE-2016-3168)

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-3092)

WordPress Plugin Blog2Social:Social Media Auto Post & Scheduler Multiple Vulnerabilities (6.9.9)

Severity

High

Classification

CVE-2006-5477 CWE-20 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update