CVE-2007-6752

Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://drupal.org/node/144538	Vendor Advisory
http://groups.drupal.org/node/216314	Vendor Advisory
http://ivanobinetti.blogspot.it/2012/03/drupal-cms-712-latest-stable-release.html
http://packetstormsecurity.org/files/110404/drupal712-xsrf.txt	Exploit
http://www.exploit-db.com/exploits/18564/	Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:drupal:drupal::::::::
	cpe:2.3:a:drupal:drupal:4.0:::::::*
	cpe:2.3:a:drupal:drupal:4.0.0:::::::*
	cpe:2.3:a:drupal:drupal:4.1.0:::::::*
	cpe:2.3:a:drupal:drupal:4.2.0_rc:::::::*
	cpe:2.3:a:drupal:drupal:4.4:::::::*
	cpe:2.3:a:drupal:drupal:4.4.0:::::::*
	cpe:2.3:a:drupal:drupal:4.4.1:::::::*
	cpe:2.3:a:drupal:drupal:4.4.2:::::::*
	cpe:2.3:a:drupal:drupal:4.4.3:::::::*
	cpe:2.3:a:drupal:drupal:4.5:::::::*
	cpe:2.3:a:drupal:drupal:4.5.0:::::::*
	cpe:2.3:a:drupal:drupal:4.5.1:::::::*
	cpe:2.3:a:drupal:drupal:4.5.2:::::::*
	cpe:2.3:a:drupal:drupal:4.5.3:::::::*
	cpe:2.3:a:drupal:drupal:4.5.4:::::::*
	cpe:2.3:a:drupal:drupal:4.5.5:::::::*
	cpe:2.3:a:drupal:drupal:4.5.6:::::::*
	cpe:2.3:a:drupal:drupal:4.5.7:::::::*
	cpe:2.3:a:drupal:drupal:4.5.8:::::::*
	cpe:2.3:a:drupal:drupal:4.6:::::::*
	cpe:2.3:a:drupal:drupal:4.6.0:::::::*
	cpe:2.3:a:drupal:drupal:4.6.1:::::::*
	cpe:2.3:a:drupal:drupal:4.6.2:::::::*
	cpe:2.3:a:drupal:drupal:4.6.3:::::::*
	cpe:2.3:a:drupal:drupal:4.6.4:::::::*
	cpe:2.3:a:drupal:drupal:4.6.5:::::::*
	cpe:2.3:a:drupal:drupal:4.6.6:::::::*
	cpe:2.3:a:drupal:drupal:4.6.7:::::::*
	cpe:2.3:a:drupal:drupal:4.6.8:::::::*
	cpe:2.3:a:drupal:drupal:4.6.9:::::::*
	cpe:2.3:a:drupal:drupal:4.6.10:::::::*
	cpe:2.3:a:drupal:drupal:4.6.11:::::::*
	cpe:2.3:a:drupal:drupal:4.7:::::::*
	cpe:2.3:a:drupal:drupal:4.7.0:::::::*
	cpe:2.3:a:drupal:drupal:4.7.1:::::::*
	cpe:2.3:a:drupal:drupal:4.7.2:::::::*
	cpe:2.3:a:drupal:drupal:4.7.3:::::::*
	cpe:2.3:a:drupal:drupal:4.7.4:::::::*
	cpe:2.3:a:drupal:drupal:4.7.5:::::::*
	cpe:2.3:a:drupal:drupal:4.7.6:::::::*
	cpe:2.3:a:drupal:drupal:4.7.7:::::::*
	cpe:2.3:a:drupal:drupal:4.7.8:::::::*
	cpe:2.3:a:drupal:drupal:4.7.9:::::::*
	cpe:2.3:a:drupal:drupal:4.7.10:::::::*
	cpe:2.3:a:drupal:drupal:4.7_rev_1.2:::::::*
	cpe:2.3:a:drupal:drupal:4.7_rev_1.15:::::::*
	cpe:2.3:a:drupal:drupal:4.7_rev1.15:::::::*
	cpe:2.3:a:drupal:drupal:4.7_revision_1.2:::::::*
	cpe:2.3:a:drupal:drupal:5.0:::::::*
	cpe:2.3:a:drupal:drupal:5.0:beta1::::::
	cpe:2.3:a:drupal:drupal:5.0:beta2::::::
	cpe:2.3:a:drupal:drupal:5.0:dev::::::
	cpe:2.3:a:drupal:drupal:5.0:rc1::::::
	cpe:2.3:a:drupal:drupal:5.0:rc2::::::
	cpe:2.3:a:drupal:drupal:5.1:::::::*
	cpe:2.3:a:drupal:drupal:5.1_rev1.1:::::::*
	cpe:2.3:a:drupal:drupal:5.2:::::::*
	cpe:2.3:a:drupal:drupal:5.3:::::::*
	cpe:2.3:a:drupal:drupal:5.4:::::::*
	cpe:2.3:a:drupal:drupal:5.5:::::::*
	cpe:2.3:a:drupal:drupal:5.5.:::::::*
	cpe:2.3:a:drupal:drupal:5.6:::::::*
	cpe:2.3:a:drupal:drupal:5.7:::::::*
cpe:2.3:a:drupal:drupal:5.8:::::::*
cpe:2.3:a:drupal:drupal:5.9:::::::*
cpe:2.3:a:drupal:drupal:5.10:::::::*
cpe:2.3:a:drupal:drupal:5.11:::::::*
cpe:2.3:a:drupal:drupal:5.12:::::::*
cpe:2.3:a:drupal:drupal:5.13:::::::*
cpe:2.3:a:drupal:drupal:5.14:::::::*
cpe:2.3:a:drupal:drupal:5.15:::::::*
cpe:2.3:a:drupal:drupal:5.16:::::::*
cpe:2.3:a:drupal:drupal:5.17:::::::*
cpe:2.3:a:drupal:drupal:5.18:::::::*
cpe:2.3:a:drupal:drupal:5.19:::::::*
cpe:2.3:a:drupal:drupal:5.20:::::::*
cpe:2.3:a:drupal:drupal:5.21:::::::*
cpe:2.3:a:drupal:drupal:5.22:::::::*
cpe:2.3:a:drupal:drupal:5.23:::::::*
cpe:2.3:a:drupal:drupal:5.x:dev::::::
cpe:2.3:a:drupal:drupal:6.0:::::::*
cpe:2.3:a:drupal:drupal:6.0:beta1::::::
cpe:2.3:a:drupal:drupal:6.0:beta2::::::
cpe:2.3:a:drupal:drupal:6.0:beta3::::::
cpe:2.3:a:drupal:drupal:6.0:beta4::::::
cpe:2.3:a:drupal:drupal:6.0:dev::::::
cpe:2.3:a:drupal:drupal:6.0:rc-1::::::
cpe:2.3:a:drupal:drupal:6.0:rc-2::::::
cpe:2.3:a:drupal:drupal:6.0:rc-3::::::
cpe:2.3:a:drupal:drupal:6.0:rc-4::::::
cpe:2.3:a:drupal:drupal:6.0:rc1::::::
cpe:2.3:a:drupal:drupal:6.0:rc2::::::
cpe:2.3:a:drupal:drupal:6.0:rc3::::::
cpe:2.3:a:drupal:drupal:6.0:rc4::::::
cpe:2.3:a:drupal:drupal:6.1:::::::*
cpe:2.3:a:drupal:drupal:6.2:::::::*
cpe:2.3:a:drupal:drupal:6.3:::::::*
cpe:2.3:a:drupal:drupal:6.4:::::::*
cpe:2.3:a:drupal:drupal:6.5:::::::*
cpe:2.3:a:drupal:drupal:6.6:::::::*
cpe:2.3:a:drupal:drupal:6.7:::::::*
cpe:2.3:a:drupal:drupal:6.8:::::::*
cpe:2.3:a:drupal:drupal:6.9:::::::*
cpe:2.3:a:drupal:drupal:6.10:::::::*
cpe:2.3:a:drupal:drupal:6.11:::::::*
cpe:2.3:a:drupal:drupal:6.12:::::::*
cpe:2.3:a:drupal:drupal:6.13:::::::*
cpe:2.3:a:drupal:drupal:6.14:::::::*
cpe:2.3:a:drupal:drupal:6.15:::::::*
cpe:2.3:a:drupal:drupal:6.16:::::::*
cpe:2.3:a:drupal:drupal:6.17:::::::*
cpe:2.3:a:drupal:drupal:6.18:::::::*
cpe:2.3:a:drupal:drupal:6.19:::::::*
cpe:2.3:a:drupal:drupal:6.20:::::::*
cpe:2.3:a:drupal:drupal:6.21:::::::*
cpe:2.3:a:drupal:drupal:6.22:::::::*
cpe:2.3:a:drupal:drupal:6.23:::::::*
cpe:2.3:a:drupal:drupal:6.24:::::::*
cpe:2.3:a:drupal:drupal:6.x-dev:::::::*
cpe:2.3:a:drupal:drupal:7.0:::::::*
cpe:2.3:a:drupal:drupal:7.0:alpha1::::::
cpe:2.3:a:drupal:drupal:7.0:alpha2::::::
cpe:2.3:a:drupal:drupal:7.0:alpha3::::::
cpe:2.3:a:drupal:drupal:7.0:alpha4::::::
cpe:2.3:a:drupal:drupal:7.0:alpha5::::::
cpe:2.3:a:drupal:drupal:7.0:alpha6::::::
cpe:2.3:a:drupal:drupal:7.0:alpha7::::::
cpe:2.3:a:drupal:drupal:7.0:beta1::::::
cpe:2.3:a:drupal:drupal:7.0:beta2::::::
cpe:2.3:a:drupal:drupal:7.0:beta3::::::
cpe:2.3:a:drupal:drupal:7.0:dev::::::
cpe:2.3:a:drupal:drupal:7.0:rc1::::::
cpe:2.3:a:drupal:drupal:7.0:rc2::::::
cpe:2.3:a:drupal:drupal:7.0:rc3::::::
cpe:2.3:a:drupal:drupal:7.0:rc4::::::
cpe:2.3:a:drupal:drupal:7.1:::::::*
cpe:2.3:a:drupal:drupal:7.2:::::::*
cpe:2.3:a:drupal:drupal:7.3:::::::*
cpe:2.3:a:drupal:drupal:7.4:::::::*
cpe:2.3:a:drupal:drupal:7.5:::::::*
cpe:2.3:a:drupal:drupal:7.6:::::::*
cpe:2.3:a:drupal:drupal:7.7:::::::*
cpe:2.3:a:drupal:drupal:7.8:::::::*
cpe:2.3:a:drupal:drupal:7.9:::::::*
cpe:2.3:a:drupal:drupal:7.10:::::::*
cpe:2.3:a:drupal:drupal:7.11:::::::*
cpe:2.3:a:drupal:drupal:7.x-dev:::::::*

History

07 Nov 2023, 02:01

Type	Values Removed	Values Added
Summary	DISPUTED Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off."	Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off.

Information

Published : 2012-03-28 10:54

Updated : 2024-04-11 00:43

NVD link : CVE-2007-6752

Mitre link : CVE-2007-6752

CVE.ORG link : CVE-2007-6752

JSON object : View

Products Affected

drupal

drupal

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

6.8 /10