cnvd - cnvd-2015-05686

cnvd-2015-05686

Vulnerability from cnvd

Title

Drupal Form API跨站请求伪造漏洞

Description

Drupal是一套用PHP语言开发的免费、开源的内容管理系统。 Drupal存在跨站请求伪造漏洞，允许远程攻击者构建恶意URI，诱使用户解析，可以目标用户上下文执行恶意操作。

Severity

中

Patch Name

Drupal Form API跨站请求伪造漏洞的补丁

Patch Description

Drupal是一套用PHP语言开发的免费、开源的内容管理系统。 Drupal存在跨站请求伪造漏洞，允许远程攻击者构建恶意URI，诱使用户解析，可以目标用户上下文执行恶意操作。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： https://www.drupal.org/drupal-7.39

Reference

http://www.securityfocus.com/bid/76436

Impacted products

Name
['Drupal Drupal 6.x (<6.37)', 'Drupal Drupal 7.x (<7.39)']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "76436"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-6660"
    }
  },
  "description": "Drupal\u662f\u4e00\u5957\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nDrupal\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u4ee5\u76ee\u6807\u7528\u6237\u4e0a\u4e0b\u6587\u6267\u884c\u6076\u610f\u64cd\u4f5c\u3002",
  "discovererName": "Abdullah Hussam",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://www.drupal.org/drupal-7.39",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-05686",
  "openTime": "2015-08-27",
  "patchDescription": "Drupal\u662f\u4e00\u5957\u7528PHP\u8bed\u8a00\u5f00\u53d1\u7684\u514d\u8d39\u3001\u5f00\u6e90\u7684\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\u3002\r\n\r\nDrupal\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u4ee5\u76ee\u6807\u7528\u6237\u4e0a\u4e0b\u6587\u6267\u884c\u6076\u610f\u64cd\u4f5c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Drupal Form API\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Drupal Drupal 6.x (\u003c6.37)",
      "Drupal Drupal 7.x (\u003c7.39)"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/76436",
  "serverity": "\u4e2d",
  "submitTime": "2015-08-22",
  "title": "Drupal Form API\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

CVE-2015-6660 (GCVE-0-2015-6660)

Vulnerability from cvelistv5

Published

2015-08-24 14:00

Modified

2024-08-06 07:29

Severity ?

CWE

Summary

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."

References

URL

Tags

	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html	vendor-advisory, x_refsource_FEDORA
	http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html	vendor-advisory, x_refsource_FEDORA
	http://www.securitytracker.com/id/1033358	vdb-entry, x_refsource_SECTRACK
	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.html	vendor-advisory, x_refsource_FEDORA
	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.html	vendor-advisory, x_refsource_FEDORA
	http://www.debian.org/security/2015/dsa-3346	vendor-advisory, x_refsource_DEBIAN
	https://www.drupal.org/SA-CORE-2015-003	x_refsource_CONFIRM
	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html	vendor-advisory, x_refsource_FEDORA
	http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html	vendor-advisory, x_refsource_FEDORA