CVE-2015-6660

high

Description

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."

References

https://www.drupal.org/SA-CORE-2015-003

http://www.securitytracker.com/id/1033358

http://www.debian.org/security/2015/dsa-3346

http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html

Details

Source: Mitre, NVD

Published: 2015-08-24

Updated: 2016-12-24

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High