SA-CONTRIB-2015-001 - OPAC - Cross Site Request Forgery (CSRF)

OPAC module enables you to create mappings between node fields and ILS record fields.

The module doesn’t ask for confirmation when removing a mapping, leaving this operation vulnerable to cross-site request forgery (CSRF) attacks.

CVE identifier(s) issued

• CVE-2015-3343

Versions affected

• OPAC 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed OPAC module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the OPAC module 7.x-2.0, upgrade to OPAC 7.x-2.3

Also see the OPAC project page.

Reported by

• Pere Orga provisional member of the Drupal Security Team

Fixed by

• Julian Maurice the module maintainer
• Pere Orga provisional member of the Drupal Security Team

Coordinated by

• Pere Orga provisional member of the Drupal Security Team