CVE-2015-6660: CSRF
First published: Mon Aug 24 2015(Updated: )
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Drupal | =6.0 | |
| Drupal | =6.0-beta1 | |
| Drupal | =6.0-beta2 | |
| Drupal | =6.0-beta3 | |
| Drupal | =6.0-beta4 | |
| Drupal | =6.0-dev | |
| Drupal | =6.0-rc1 | |
| Drupal | =6.0-rc2 | |
| Drupal | =6.0-rc3 | |
| Drupal | =6.0-rc4 | |
| Drupal | =6.1 | |
| Drupal | =6.2 | |
| Drupal | =6.3 | |
| Drupal | =6.4 | |
| Drupal | =6.5 | |
| Drupal | =6.6 | |
| Drupal | =6.7 | |
| Drupal | =6.8 | |
| Drupal | =6.9 | |
| Drupal | =6.10 | |
| Drupal | =6.11 | |
| Drupal | =6.12 | |
| Drupal | =6.13 | |
| Drupal | =6.14 | |
| Drupal | =6.15 | |
| Drupal | =6.16 | |
| Drupal | =6.17 | |
| Drupal | =6.18 | |
| Drupal | =6.19 | |
| Drupal | =6.20 | |
| Drupal | =6.21 | |
| Drupal | =6.22 | |
| Drupal | =6.23 | |
| Drupal | =6.24 | |
| Drupal | =6.25 | |
| Drupal | =6.26 | |
| Drupal | =6.27 | |
| Drupal | =6.28 | |
| Drupal | =6.29 | |
| Drupal | =6.30 | |
| Drupal | =6.31 | |
| Drupal | =6.32 | |
| Drupal | =6.33 | |
| Drupal | =6.34 | |
| Drupal | =6.35 | |
| Drupal | =6.36 | |
| Drupal | =7.0 | |
| Drupal | =7.0-alpha1 | |
| Drupal | =7.0-alpha2 | |
| Drupal | =7.0-alpha3 | |
| Drupal | =7.0-alpha4 | |
| Drupal | =7.0-alpha5 | |
| Drupal | =7.0-alpha6 | |
| Drupal | =7.0-alpha7 | |
| Drupal | =7.0-beta1 | |
| Drupal | =7.0-beta2 | |
| Drupal | =7.0-beta3 | |
| Drupal | =7.0-dev | |
| Drupal | =7.0-rc1 | |
| Drupal | =7.0-rc2 | |
| Drupal | =7.0-rc3 | |
| Drupal | =7.0-rc4 | |
| Drupal | =7.1 | |
| Drupal | =7.2 | |
| Drupal | =7.3 | |
| Drupal | =7.4 | |
| Drupal | =7.5 | |
| Drupal | =7.6 | |
| Drupal | =7.7 | |
| Drupal | =7.8 | |
| Drupal | =7.9 | |
| Drupal | =7.10 | |
| Drupal | =7.11 | |
| Drupal | =7.12 | |
| Drupal | =7.13 | |
| Drupal | =7.14 | |
| Drupal | =7.15 | |
| Drupal | =7.16 | |
| Drupal | =7.17 | |
| Drupal | =7.18 | |
| Drupal | =7.19 | |
| Drupal | =7.20 | |
| Drupal | =7.21 | |
| Drupal | =7.22 | |
| Drupal | =7.23 | |
| Drupal | =7.24 | |
| Drupal | =7.25 | |
| Drupal | =7.26 | |
| Drupal | =7.27 | |
| Drupal | =7.28 | |
| Drupal | =7.29 | |
| Drupal | =7.30 | |
| Drupal | =7.33 | |
| Drupal | =7.34 | |
| Drupal | =7.35 | |
| Drupal | =7.36 | |
| Drupal | =7.37 | |
| Drupal | =7.38 | |
| Drupal | =7.x-dev |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.html
- http://www.debian.org/security/2015/dsa-3346
- http://www.securitytracker.com/id/1033358
- https://www.drupal.org/SA-CORE-2015-003
Frequently Asked Questions
What is the severity of CVE-2015-6660?
CVE-2015-6660 is considered a moderate severity vulnerability due to its potential for cross-site request forgery (CSRF) attacks.
How do I fix CVE-2015-6660?
To fix CVE-2015-6660, you need to upgrade to Drupal version 6.37 or 7.39 or later where the token validation has been properly implemented.
What does CVE-2015-6660 exploit?
CVE-2015-6660 exploits the Form API in Drupal by allowing remote attackers to upload files to another user's account.
Which versions of Drupal are affected by CVE-2015-6660?
CVE-2015-6660 affects Drupal versions 6.x before 6.37 and 7.x before 7.39.
What are the potential impacts of CVE-2015-6660?
The potential impacts of CVE-2015-6660 include unauthorized file uploads and possible data integrity issues due to CSRF attacks.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/drupal
- canonical/drupal
- version/drupal/6.0
- version/drupal/6.0-beta1
- version/drupal/6.0-beta2
- version/drupal/6.0-beta3
- version/drupal/6.0-beta4
- version/drupal/6.0-dev
- version/drupal/6.0-rc1
- version/drupal/6.0-rc2
- version/drupal/6.0-rc3
- version/drupal/6.0-rc4
- version/drupal/6.1
- version/drupal/6.2
- version/drupal/6.3
- version/drupal/6.4
- version/drupal/6.5
- version/drupal/6.6
- version/drupal/6.7
- version/drupal/6.8
- version/drupal/6.9
- version/drupal/6.10
- version/drupal/6.11
- version/drupal/6.12
- version/drupal/6.13
- version/drupal/6.14
- version/drupal/6.15
- version/drupal/6.16
- version/drupal/6.17
- version/drupal/6.18
- version/drupal/6.19
- version/drupal/6.20
- version/drupal/6.21
- version/drupal/6.22
- version/drupal/6.23
- version/drupal/6.24
- version/drupal/6.25
- version/drupal/6.26
- version/drupal/6.27
- version/drupal/6.28
- version/drupal/6.29
- version/drupal/6.30
- version/drupal/6.31
- version/drupal/6.32
- version/drupal/6.33
- version/drupal/6.34
- version/drupal/6.35
- version/drupal/6.36
- version/drupal/7.0
- version/drupal/7.0-alpha1
- version/drupal/7.0-alpha2
- version/drupal/7.0-alpha3
- version/drupal/7.0-alpha4
- version/drupal/7.0-alpha5
- version/drupal/7.0-alpha6
- version/drupal/7.0-alpha7
- version/drupal/7.0-beta1
- version/drupal/7.0-beta2
- version/drupal/7.0-beta3
- version/drupal/7.0-dev
- version/drupal/7.0-rc1
- version/drupal/7.0-rc2
- version/drupal/7.0-rc3
- version/drupal/7.0-rc4
- version/drupal/7.1
- version/drupal/7.2
- version/drupal/7.3
- version/drupal/7.4
- version/drupal/7.5
- version/drupal/7.6
- version/drupal/7.7
- version/drupal/7.8
- version/drupal/7.9
- version/drupal/7.10
- version/drupal/7.11
- version/drupal/7.12
- version/drupal/7.13
- version/drupal/7.14
- version/drupal/7.15
- version/drupal/7.16
- version/drupal/7.17
- version/drupal/7.18
- version/drupal/7.19
- version/drupal/7.20
- version/drupal/7.21
- version/drupal/7.22
- version/drupal/7.23
- version/drupal/7.24
- version/drupal/7.25
- version/drupal/7.26
- version/drupal/7.27
- version/drupal/7.28
- version/drupal/7.29
- version/drupal/7.30
- version/drupal/7.33
- version/drupal/7.34
- version/drupal/7.35
- version/drupal/7.36
- version/drupal/7.37
- version/drupal/7.38
- version/drupal/7.x-dev