# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2020-13674 |
352 |
|
CSRF |
2022-02-11 |
2022-02-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The QuickEdit module does not properly validate access to routes, which could allow cross-site request forgery under some circumstances and lead to possible data integrity issues. Sites are only affected if the QuickEdit module (which comes with the Standard profile) is installed. Removing the "access in-place editing" permission from untrusted users will not fully mitigate the vulnerability. |
2 |
CVE-2020-13663 |
352 |
|
CSRF |
2021-06-11 |
2021-06-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities. |
3 |
CVE-2017-6379 |
352 |
|
CSRF |
2017-03-16 |
2017-07-12 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID. |
4 |
CVE-2015-6660 |
352 |
|
CSRF |
2015-08-24 |
2016-12-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks." |
5 |
CVE-2013-7407 |
352 |
|
CSRF |
2014-10-22 |
2014-10-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
6 |
CVE-2013-6385 |
94 |
|
Exec Code CSRF |
2013-12-07 |
2014-01-14 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. |
7 |
CVE-2012-2079 |
352 |
|
CSRF |
2019-11-22 |
2019-12-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal. |
8 |
CVE-2012-0826 |
352 |
|
DoS CSRF |
2013-10-28 |
2014-03-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the Aggregator module in Drupal 6.x before 6.23 and 7.x before 7.11 allows remote attackers to hijack the authentication of unspecified victims for requests that update feeds and possibly cause a denial of service (loss of updates due to rate limit) via unspecified vectors. |
9 |
CVE-2009-1576 |
|
|
+Info CSRF |
2009-05-06 |
2009-05-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Unspecified vulnerability in Drupal 5.x before 5.17 and 6.x before 6.11, as used in vbDrupal before 5.17.0, allows user-assisted remote attackers to obtain sensitive information by tricking victims into visiting the front page of the site with a crafted URL and causing form data to be sent to an attacker-controlled site, possibly related to multiple / (slash) characters that are not properly handled by includes/bootstrap.inc, as demonstrated using the search box. NOTE: this vulnerability can be leveraged to conduct cross-site request forgery (CSRF) attacks. |
10 |
CVE-2008-6532 |
352 |
|
CSRF |
2009-03-26 |
2017-08-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the update feature in Drupal 5.x before 5.13 and 6.x before 6.7 allow remote attackers to perform unauthorized actions as the superuser via unspecified vectors, as demonstrated by causing the superuser to "execute old updates" that modify the database. |
11 |
CVE-2008-6384 |
352 |
|
CSRF |
2009-03-02 |
2017-08-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in Comment Mail 5.x before 5.x-1.1, a module for Drupal, allow remote attackers to hijack the authentication of administrators. |
12 |
CVE-2008-6169 |
352 |
|
CSRF |
2009-02-19 |
2017-08-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the Localization client 5.x before 5.x-1.1 and 6.x before 6.x-1.6 and the Localization server 5.x before 5.x-1.0-alpha5 and 6.x before 6.x-alpha2, modules for Drupal, allows remote attackers to perform unauthorized actions as administrators via unspecified vectors related to the "local translation submission interface." |
13 |
CVE-2008-3744 |
352 |
|
CSRF |
2008-08-27 |
2017-08-08 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.10 and 6.x before 6.4 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) delete user access rules. |
14 |
CVE-2008-3743 |
352 |
|
CSRF |
2008-08-27 |
2017-08-08 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in forms in Drupal 6.x before 6.4 allow remote attackers to perform unspecified actions via unknown vectors, related to improper token validation for (1) cached forms and (2) forms with AHAH elements. |
15 |
CVE-2008-3221 |
352 |
|
CSRF |
2008-07-18 |
2021-04-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities. |
16 |
CVE-2008-3220 |
352 |
|
CSRF |
2008-07-18 |
2021-04-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings." |
17 |
CVE-2008-0571 |
352 |
|
CSRF |
2008-02-05 |
2011-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The point moderation form in the Userpoints 4.7.x before 4.7.x-2.3, 5.x-2 before 5.x-2.16, and 5.x-3 before 5.x-3.3 module for Drupal does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and manipulate points. |
18 |
CVE-2008-0272 |
352 |
|
CSRF |
2008-01-15 |
2017-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users. |
19 |
CVE-2008-0271 |
352 |
|
CSRF |
2008-01-15 |
2017-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The editor deletion form in BUEditor 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.1, a module for Drupal, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete custom editor interfaces. |
20 |
CVE-2007-6752 |
352 |
2
|
CSRF |
2012-03-28 |
2012-03-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off." |
21 |
CVE-2007-6320 |
352 |
|
CSRF |
2007-12-12 |
2008-11-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Feature 4.7.x-dev and 5.x-dev before 20071206, a Drupal module, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks. |
22 |
CVE-2007-5594 |
352 |
|
CSRF |
2007-10-19 |
2021-04-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack. |
23 |
CVE-2007-4063 |
|
|
CSRF |
2007-07-30 |
2017-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileged users, related to improper use of HTTP GET and the Forms API. |
24 |
CVE-2007-2160 |
|
|
CSRF |
2007-04-22 |
2011-03-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in the Database Administration (dba) module 4.6.x-*, and before 4.7.x-1.2 in the 4.7.x-1.* series, for Drupal allow remote attackers to perform unauthorized actions as an arbitrary user, a related issue to CVE-2006-5476. |
25 |
CVE-2006-5476 |
|
|
CSRF |
2006-10-24 |
2018-10-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in Drupal 4.6.x before 4.6.10 and 4.7.x before 4.7.4 allows remote attackers to perform unauthorized actions as an arbitrary user via unspecified vectors. |