User deletion cross site request forgery in Drupal

#VU554 User deletion cross site request forgery in Drupal

Cybersecurity Help s.r.o.

Published: 2016-09-20

Vulnerability identifier: #VU554

Vulnerability risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Drupal
Web applications / CMS

Vendor: Drupal

Description
The vulnerability allows a remote user to perform CSRF attack and cause valid user deletion.
The weakness exists due to improper Forms API functionality. A malicous site can cause a user to unintentionally submit a form to a site where he is authenticated that leads to cross-site request forgery.
Successful exploitation of the vulnerability may cause CSRF that may result in user deletion.

Mitigation
Update to 5.3.
http://ftp.drupal.org/files/projects/drupal-5.3.tar.g

Vulnerable software versions

Drupal: 5.0 - 5.2

External links
http://www.drupal.org/node/184348

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

User deletion cross site request forgery in Drupal Drupal