Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2015-058

HistoryFeb 25, 2015 - 12:00 a.m.

SA-CONTRIB-2015-058 - Spider Catalog - Cross Site Request Forgery (CSRF) - Unsupported

2015-02-2500:00:00

Drupal Security Team

www.drupal.org

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.967 High

EPSS

Percentile

99.7%

JSON

Spider Catalog module enables you to build product catalogs.

The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to delete products, ratings and categories by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued

CVE-2015-4350

Versions affected

All versions of Spider Catalog module.

Drupal core is not affected. If you do not use the contributed Spider Catalog module, there is nothing you need to do.

Solution

If you use the Spider Catalog module you should uninstall it.

Also see the Spider Catalog project page.

Reported by

Pere Orga of the Drupal Security Team

Fixed by

Not applicable.

Coordinated by

Pere Orga of the Drupal Security Team

References

twitter.com/drupalsecurity

www.drupal.org/contact

www.drupal.org/project/spider-catalog

www.drupal.org/security-team

www.drupal.org/security-team/risk-levels

www.drupal.org/security/secure-configuration

www.drupal.org/user/2301194

www.drupal.org/writing-secure-code

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.967 High

EPSS

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2015-058