Cross-site request forgery in Drupal Drupal
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-352 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Drupal Web applications / CMS |
| Vendor | Drupal |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Cross-site request forgery
EUVDB-ID: #VU559
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform cross-site request forgery attack.
The weakness is caused by improper use of the Forms API, or taking action solely on GET requests. After tricking he victim into visiting specially crafted URL(s), attackers can delete comments or content revisions and disable menu items.
Successful exploitation of the vulnerability enables a malicious user to conduct cross-site request forgery.
Update to 5.2.
http://ftp.drupal.org/files/projects/drupal-5.2.tar.gz
Drupal: 4.0 - 5.1
External linkshttp://www.drupal.org/node/162360
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
