Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2015-086

HistoryMar 25, 2015 - 12:00 a.m.

Decisions - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-086

2015-03-2500:00:00

Drupal Security Team

www.drupal.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.967

Percentile

99.7%

JSON

Decisions module is a replacement for the Poll module and provides advanced voting systems and decision-making tools.

The module doesn’t sufficiently protect some links against CSRF. A malicious user can cause another user to remove individual voters by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued

CVE-2015-4383

Versions affected

All versions of Decisions module

Drupal core is not affected. If you do not use the contributed Decisions module, there is nothing you need to do.

Solution

If you use the Decisions module you should uninstall it.

Also see the Decisions project page.

Reported by

Pere Orga of the Drupal Security Team

Fixed by

Not applicable.

Coordinated by

Pere Orga of the Drupal Security Team

References

twitter.com/drupalsecurity

www.drupal.org/contact

www.drupal.org/project/decisions

www.drupal.org/security-team

www.drupal.org/security-team/risk-levels

www.drupal.org/security/secure-configuration

www.drupal.org/user/2301194

www.drupal.org/writing-secure-code

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.967

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2015-086