WEB APPLICATION VULNERABILITIES Standard & Premium

Drupal Core 7.x Cross-Site Request Forgery (7.0 - 7.12)

Description

Drupal Core is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. Drupal Core versions 7.x ranging from 7.0 and up to and including 7.12 are vulnerable.

Remediation

Follow the recommendations suggested in advisories

References

https://groups.drupal.org/files/drupal712_csrf_disclosure.txt

https://www.exploit-db.com/exploits/18564/

https://packetstormsecurity.com/files/110404/Drupal-CMS-7.12-Cross-Site-Request-Forgery.html

https://heine.familiedeelstra.com/packetstorm-advisory-csrf-march-2012

https://groups.drupal.org/node/216314

Related Vulnerabilities

Mustache Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-8862)

Joomla CVE-2009-3945 Vulnerability (CVE-2009-3945)

XOOPS Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2008-0612)

Plone CMS Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-7317)

WordPress Plugin Simple add pages or posts Cross-Site Request Forgery (1.6)

Severity

High

Classification

CVE-2007-6752 CWE-352 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update CSRF