Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2012-068

HistoryMay 02, 2012 - 12:00 a.m.

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

2012-05-0200:00:00

Drupal Security Team

www.drupal.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.002

Percentile

52.8%

JSON

CVE: CVE-2012-2305

Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal’s core node system.
This module does not protect a CSRF attack when creating node galleries.

Versions affected

6.x-3.1 and before

Drupal core is not affected. If you do not use the contributed Node Gallery module, there is nothing you need to do.

Solution

Uninstall the module, this module is no longer supported.

Also see the Node Gallery project page.

Reported by

Andrew Berry

Coordinated by

Michael Hess of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/node_gallery

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/102818

drupal.org/user/71291

drupal.org/writing-secure-code

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.002

Percentile

52.8%

JSON

Related for DRUPAL-SA-CONTRIB-2012-068