CVE-2017-6379
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
Known Affected Software
7 configuration(s) from 1 vendor(s)
drupal
Version:
8.2.2
CPE:
cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*
drupal
Version:
8.2.5
CPE:
cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*
drupal
Version:
8.2.0
CPE:
cpe:2.3:a:drupal:drupal:8.2.0:-:*:*:*:*:*:*
drupal
Version:
8.2.1
CPE:
cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*
drupal
Version:
8.2.3
CPE:
cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*
drupal
Version:
8.2.4
CPE:
cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*
drupal
Version:
8.2.6
CPE:
cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*
This vulnerability affects 7 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://www.securityfocus.com/bid/96919mlhess@drupal.org
-
http://www.securitytracker.com/id/1038058mlhess@drupal.org
-
https://www.drupal.org/SA-2017-001mlhess@drupal.org Release Notes Third Party Advisory
-
http://www.securityfocus.com/bid/96919af854a3a-2127-422b-91ae-364da2661108
-
http://www.securitytracker.com/id/1038058af854a3a-2127-422b-91ae-364da2661108
-
https://www.drupal.org/SA-2017-001af854a3a-2127-422b-91ae-364da2661108 Release Notes Third Party Advisory
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-352
Top 25 #4
Cross-Site Request Forgery (CSRF)
- Description
- The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
- Exploit Likelihood
- Medium
- Typical Severity
- High
- OWASP Top 10
- A01:2021-Broken Access Control
- Abstraction Level
- Compound
Key Information
- Published Date
- March 16, 2017
