CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.7%
The XSS issue is
CVE: CVE-2012-2076
The CSRF issue is
CVE: CVE-2012-2077
The ShareThis module allows you to display social networking tools to users.
The administration forms of the module do not properly use the Form API allowing a malicious user to inject unexpected settings, allowing for cross-site scripting attacks (XSS). Additionally, the module had an incomplete feature for updating these settings outside of the Form API which was vulnerable to a cross site request forgery attack.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer sharethis”.
Drupal core is not affected. If you do not use the contributed ShareThis module, there is nothing you need to do.
Install the latest version:
Also see the ShareThis project page.