Drupal : Security Vulnerabilities (CSRF)

CVSS Scores Greater Than: 0 1 2 3 4 5 6 7 8 9

Sort Results By : CVE Number Descending CVE Number Ascending CVSS Score Descending Number Of Exploits Descending

#	CVE ID	CWE ID	# of Exploits	Vulnerability Type(s)	Publish Date	Update Date	Score	Gained Access Level	Access	Complexity	Authentication	Conf.	Integ.	Avail.
1	CVE-2020-13674	352		CSRF	2022-02-11	2022-02-18	4.3	None	Remote	Medium	Not required	None	Partial	None
The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability.
2	CVE-2020-13663	352		CSRF	2021-06-11	2021-06-21	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities.
3	CVE-2017-6379	352		CSRF	2017-03-16	2017-07-12	5.1	None	Remote	High	Not required	Partial	Partial	Partial
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
4	CVE-2015-6660	352		CSRF	2015-08-24	2016-12-24	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."
5	CVE-2013-7407	352		CSRF	2014-10-22	2014-10-23	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
6	CVE-2013-6385	94		Exec Code CSRF	2013-12-07	2014-01-14	5.1	None	Remote	High	Not required	Partial	Partial	Partial
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors.
7	CVE-2012-2079	352		CSRF	2019-11-22	2019-12-11	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
8	CVE-2012-0826	352		DoS CSRF	2013-10-28	2014-03-08	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors.
9	CVE-2009-1576			+Info CSRF	2009-05-06	2009-05-20	4.3	None	Remote	Medium	Not required	Partial	None	None
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks.
10	CVE-2008-6532	352		CSRF	2009-03-26	2017-08-17	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database.
11	CVE-2008-6384	352		CSRF	2009-03-02	2017-08-17	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Comment Mail 5.x before 5.x-1.1, a module for Drupal, allow remote attackers to hijack the authentication of administrators.
12	CVE-2008-6169	352		CSRF	2009-02-19	2017-08-17	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in the Localization client 5.x before 5.x-1.1 and 6.x before 6.x-1.6 and the Localization server 5.x before 5.x-1.0-alpha5 and 6.x before 6.x-alpha2, modules for Drupal, allows remote attackers to perform unauthorized actions as administrators via unspecified vectors related to the "local translation submission interface."
13	CVE-2008-3744	352		CSRF	2008-08-27	2017-08-08	5.8	None	Remote	Medium	Not required	None	Partial	Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules.
14	CVE-2008-3743	352		CSRF	2008-08-27	2017-08-08	5.8	None	Remote	Medium	Not required	None	Partial	Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements.
15	CVE-2008-3221	352		CSRF	2008-07-18	2021-04-15	4.3	None	Remote	Medium	Not required	None	Partial	None
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities.
16	CVE-2008-3220	352		CSRF	2008-07-18	2021-04-15	4.3	None	Remote	Medium	Not required	None	Partial	None
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings."
17	CVE-2008-0571	352		CSRF	2008-02-05	2011-03-08	4.3	None	Remote	Medium	Not required	None	Partial	None
The point moderation form in the Userpoints 4.7.x before 4.7.x-2.3, 5.x-2 before 5.x-2.16, and 5.x-3 before 5.x-3.3 module for Drupal does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and manipulate points.
18	CVE-2008-0272	352		CSRF	2008-01-15	2017-08-08	4.3	None	Remote	Medium	Not required	None	Partial	None
Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users.
19	CVE-2008-0271	352		CSRF	2008-01-15	2017-08-08	4.3	None	Remote	Medium	Not required	None	Partial	None
The editor deletion form in BUEditor 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.1, a module for Drupal, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete custom editor interfaces.
20	CVE-2007-6752	352	2	CSRF	2012-03-28	2012-03-28	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
DISPUTED Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off."
21	CVE-2007-6320	352		CSRF	2007-12-12	2008-11-15	4.3	None	Remote	Medium	Not required	None	Partial	None
Feature 4.7.x-dev and 5.x-dev before 20071206, a Drupal module, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks.
22	CVE-2007-5594	352		CSRF	2007-10-19	2021-04-19	4.3	None	Remote	Medium	Not required	None	Partial	None
Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack.
23	CVE-2007-4063			CSRF	2007-07-30	2017-07-29	4.3	None	Remote	Medium	Not required	None	Partial	None
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileged users, related to improper use of HTTP GET and the Forms API.
24	CVE-2007-2160			CSRF	2007-04-22	2011-03-08	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Database Administration (dba) module 4.6.x-, and before 4.7.x-1.2 in the 4.7.x-1. series, for Drupal allow remote attackers to perform unauthorized actions as an arbitrary user, a related issue to CVE-2006-5476.
25	CVE-2006-5476			CSRF	2006-10-24	2018-10-17	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors.

Total number of vulnerabilities : 25 Page : 1 (This Page)