6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
The Htaccess module allows the creation and deployment of .htaccess files based on custom settings.
Some administration links were not properly protected from Cross Site Request Forgery (CSRF). A malicious user could cause an administrator to deploy or delete .htaccess files by getting the administrator’s browser to request specially crafted URLS while the administrator was logged in.
Drupal core is not affected. If you do not use the contributed htaccess module,
there is nothing you need to do.
Install the latest version:
Also see the htaccess project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2402825
www.drupal.org/project/htaccess
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/1679812
www.drupal.org/user/2301194
www.drupal.org/writing-secure-code