Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2012-099

HistoryJun 13, 2012 - 12:00 a.m.

SA-CONTRIB-2012-099 - Node Hierarchy - Cross Site Request Forgery (CSRF)

2012-06-1300:00:00

Drupal Security Team

www.drupal.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.967

Percentile

99.7%

JSON

Node Hierarchy module allows for the creation of parent child relationships among nodes that can create a tree-like hierarchy of content.

The module doesn’t sufficiently confirm user intent when reordering children nodes allowing a malicious user to trick a site admin to changing the desired hierarchy.

CVE: CVE-2012-2728

Versions affected

Node Hierarchy 6.x-1.x versions prior to 6.x-1.5.

Drupal core is not affected. If you do not use the contributed Node Hierarchy module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Node Hierarchy module for Drupal 6.x, upgrade to Node Hierarchy 6.x-1.5

Also see the Node Hierarchy project page.

Reported by

Dylan Tack of the Drupal Security Team

Fixed by

Ronan Dowling the module maintainer

Coordinated by

Greg Knaddison of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/nodehierarchy

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/36762

drupal.org/user/72815

drupal.org/user/96647

drupal.org/writing-secure-code

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.967

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2012-099