Drupal Security TeamDRUPAL-SA-CONTRIB-2017-020Timezone Detect - Moderately Critical - Cross Site Request Forgery - SA-CONTRIB-2017-020
This module enables sites to automatically detect and set user timezones via JavaScript.
The module does not sufficiently protect against Cross-Site Request Forgery (CSRF): an attacker could use this vulnerability to manipulate a userβs timezone setting. The security implication of this issue depends on the site. It can range from minor annoyance to some level of a bigger bug on a site that relies on the timezone for some more important purpose.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Timezone Detect 7.x-1.x versions prior to 7.x-1.2.
Drupal core is not affected. If you do not use the contributed Timezone Detect module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Timezone Detect module for Drupal 7.x, upgrade to Timezone Detect 7.x-1.2
Also see the Timezone Detect project page.
Reported by
- Greg Knaddison of the Drupal Security Team
Fixed by
- Jordan Magnuson the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
References
cve.mitre.org/
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/timezone_detect
www.drupal.org/project/timezone_detect/releases/7.x-1.2
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/greggles
www.drupal.org/u/jordanmagnuson
www.drupal.org/writing-secure-code