Description
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."
Remediation
References
Related Vulnerabilities
Liferay Portal Observable Discrepancy Vulnerability (CVE-2025-43786)
WordPress Plugin WordPress Shortcodes-Shortcodes Ultimate Cross-Site Scripting (5.0.6)
WordPress Plugin WP-AutoYoutube 'index.php' Script SQL Injection (0.1)
Internet Information Services Configuration Vulnerability (CVE-1999-0725)