Description

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."

Remediation

References

CVE-2015-6660

Related Vulnerabilities

WordPress Plugin Visualizer:Tables and Charts Manager for WordPress PHAR Deserialization (3.7.9)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-10242)

SharePoint Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2018-8580)

WordPress Plugin WP Photo Album Plus Unspecified Vulnerability (6.5.00)

WordPress Plugin Annonces 'theme.php' Arbitrary File Upload (1.2.0.1)

Severity

Medium

Classification

CVE-2015-6660 CWE-352

Tags

Missing Update Known Vulnerabilities