CVE-2017-6379

CWE-352Cross-Site Request Forgery (CSRF)4 documents4 sources
Severity
7.5HIGH
EPSS
0.2%
top 59.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Drupal CoreDrupal DrupalDrupal Drupal Core
Timeline
PublishedMar 16
Latest updateMay 17

Description

Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages4 packages

Packagistdrupal/core8.2.08.2.7
Packagistdrupal/drupal8.2.08.2.7
NVDdrupal/drupal7 versions+6
CVEListV5drupal/drupal_core8.2.x versions before 8.2.7

🔴Vulnerability Details

3
GHSA
Drupal Cross-Site Request Forgery (CSRF)2022-05-17
OSV
Drupal Cross-Site Request Forgery (CSRF)2022-05-17
CVEList
CVE-2017-6379: Some administrative paths in Drupal 82017-03-16
CVE-2017-6379 (HIGH CVSS 7.5) | Some administrative paths in Drupal | cvebase.io