Cross-site request forgery in Drupal Drupal
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-352 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Drupal Web applications / CMS |
| Vendor | Drupal |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Cross-site request forgery
EUVDB-ID: #VU551
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability increases attacker's possibility to perform cross-site request forgery attack.
The weakness exists due to improper work of the aggregator module. Availability of items of certain RSS feeds may lead to its deleting and cause CSRF.
Successful exploitation of the vulnerability may result in CSRF attack.
Update 4.7.x to 4.7.11.
http://ftp.drupal.org/files/projects/drupal-4.7.11.tar.gz
Update 5.x to 5.6.
http://ftp.drupal.org/files/projects/drupal-5.6.tar.gz
Drupal: 4.7.0 - 5.5
CPE2.3 External linkshttp://www.drupal.org/node/208562
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
