Vulnerability Name:

CVE-2007-4063 (CCN-35639)

Assigned:2007-07-26
Published:2007-07-26
Updated:2017-07-29
Summary:Multiple cross-site request forgery (CSRF) vulnerabilities in Drupal 5.x before 5.2 allow remote attackers to (1) delete comments, (2) delete content revisions, and (3) disable menu items as privileged users, related to improper use of HTTP GET and the Forms API.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:P)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2007-4063

Source: CONFIRM
Type: Patch
http://drupal.org/files/sa-2007-017/advisory.txt

Source: CCN
Type: DRUPAL-SA-2007-017
Drupal core - Cross site request forgeries

Source: OSVDB
Type: UNKNOWN
37898

Source: CCN
Type: SA26224
Drupal Multiple Cross-Site Scripting and Request Forgery Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
26224

Source: CCN
Type: OSVDB ID: 37898
Drupal Forms API Multiple Method CSRF

Source: BID
Type: Patch
25099

Source: CCN
Type: BID-25099
Drupal Cross-Site Request Forgery Vulnerability

Source: VUPEN
Type: UNKNOWN
ADV-2007-2697

Source: XF
Type: UNKNOWN
drupal-formsapi-csrf(35639)

Source: XF
Type: UNKNOWN
drupal-formsapi-csrf(35639)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:drupal:drupal:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:drupal:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:drupal:drupal:5.1_rev1.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    drupal drupal 5.0
    drupal drupal 5.1
    drupal drupal 5.1_rev1.1