Drupal Security TeamDRUPAL-SA-CONTRIB-2015-099Node Template - Moderately Critical - Cross Site Request Forgery (CSRF) - Unsupported - SA-CONTRIB-2015-099
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.7%
Node Template module enables you to define any node as a node template and it can be duplicated later.
The module doesn’t sufficiently protect some URLs against CSRF. A malicious user can cause a user with “access node template” permission to delete node templates by getting their browser to make a request to a specially-crafted URL.
CVE identifier(s) issued
- CVE-2015-4397
Versions affected
All versions of Node Template module.
Drupal core is not affected. If you do not use the contributed Node Template module, there is nothing you need to do.
Solution
If you use the Node Template module you should uninstall it.
Also see the Node Template project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
Not applicable.
Coordinated by
- Pere Orga of the Drupal Security Team
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.7%