Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.
Max CVSS
7.5
EPSS Score
1.83%
Published
2006-10-24
Updated
2018-10-17
Multiple cross-site request forgery (CSRF) vulnerabilities in the Database Administration (dba) module 4.6.x-*, and before 4.7.x-1.2 in the 4.7.x-1.* series, for Drupal allow remote attackers to perform unauthorized actions as an arbitrary user, a related issue to CVE-2006-5476.
Max CVSS
7.5
EPSS Score
1.04%
Published
2007-04-22
Updated
2011-03-08
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileged users, related to improper use of HTTP GET and the Forms API.
Max CVSS
4.3
EPSS Score
0.96%
Published
2007-07-30
Updated
2017-07-29
Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack.
Max CVSS
4.3
EPSS Score
0.22%
Published
2007-10-19
Updated
2021-04-19
Feature 4.7.x-dev and 5.x-dev before 20071206, a Drupal module, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks.
Max CVSS
4.3
EPSS Score
0.08%
Published
2007-12-12
Updated
2008-11-15
Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off.
Max CVSS
6.8
EPSS Score
0.43%
Published
2012-03-28
Updated
2024-03-21
The editor deletion form in BUEditor 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.1, a module for Drupal, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete custom editor interfaces.
Max CVSS
4.3
EPSS Score
0.15%
Published
2008-01-15
Updated
2017-08-08
Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users.
Max CVSS
4.3
EPSS Score
0.25%
Published
2008-01-15
Updated
2017-08-08
The point moderation form in the Userpoints 4.7.x before 4.7.x-2.3, 5.x-2 before 5.x-2.16, and 5.x-3 before 5.x-3.3 module for Drupal does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and manipulate points.
Max CVSS
4.3
EPSS Score
0.15%
Published
2008-02-05
Updated
2011-03-08
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
Max CVSS
4.3
EPSS Score
0.26%
Published
2008-07-18
Updated
2021-04-15
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.
Max CVSS
4.3
EPSS Score
0.27%
Published
2008-07-18
Updated
2021-04-15
Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements.
Max CVSS
5.8
EPSS Score
0.28%
Published
2008-08-27
Updated
2017-08-08
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.
Max CVSS
5.8
EPSS Score
0.35%
Published
2008-08-27
Updated
2017-08-08
Cross-site request forgery (CSRF) vulnerability in the Localization client 5.x before 5.x-1.1 and 6.x before 6.x-1.6 and the Localization server 5.x before 5.x-1.0-alpha5 and 6.x before 6.x-alpha2, modules for Drupal, allows remote attackers to perform unauthorized actions as administrators via unspecified vectors related to the "local translation submission interface."
Max CVSS
6.8
EPSS Score
0.16%
Published
2009-02-19
Updated
2017-08-17
Multiple cross-site request forgery (CSRF) vulnerabilities in Comment Mail 5.x before 5.x-1.1, a module for Drupal, allow remote attackers to hijack the authentication of administrators.
Max CVSS
6.8
EPSS Score
0.16%
Published
2009-03-02
Updated
2017-08-17
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database.
Max CVSS
6.8
EPSS Score
0.33%
Published
2009-03-26
Updated
2017-08-17
Cross-site request forgery (CSRF) vulnerability in the Plus 1 module before 6.x-2.6, a module for Drupal, allows remote attackers to cast votes for content via unspecified aspects of the URI.
Max CVSS
6.8
EPSS Score
0.30%
Published
2009-03-20
Updated
2017-08-17
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.
Max CVSS
4.3
EPSS Score
0.67%
Published
2009-05-06
Updated
2009-05-20
Multiple cross-site request forgery (CSRF) vulnerabilities in the "My Account" feature in PHPList Integration module 5 before 5.x-1.2 and 6 before 6.x-1.1 for Drupal allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) subscribing or (2) unsubscribing to mailing lists.
Max CVSS
6.8
EPSS Score
0.31%
Published
2009-11-24
Updated
2017-08-17
Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors.
Max CVSS
6.8
EPSS Score
0.09%
Published
2013-10-28
Updated
2014-03-08
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
Max CVSS
8.8
EPSS Score
0.07%
Published
2019-11-22
Updated
2019-12-11
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.
Max CVSS
5.1
EPSS Score
5.57%
Published
2013-12-07
Updated
2014-01-14
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Max CVSS
6.8
EPSS Score
0.09%
Published
2014-10-22
Updated
2014-10-23
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."
Max CVSS
6.8
EPSS Score
0.34%
Published
2015-08-24
Updated
2016-12-24
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
Max CVSS
7.5
EPSS Score
0.13%
Published
2017-03-16
Updated
2017-07-12
28 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!