CVE-2015-6660
Published: 24 August 2015
The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."
Priority
Status
Package | Release | Status |
---|---|---|
drupal6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
precise |
Does not exist
(precise was needed)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(6.37)
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
drupal7 Launchpad, Ubuntu, Debian |
artful |
Ignored
(reached end-of-life)
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
precise |
Does not exist
(precise was needed)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Released
(7.39-1)
|
|
vivid |
Does not exist
|
|
wily |
Ignored
(reached end-of-life)
|
|
xenial |
Not vulnerable
(7.44-1ubuntu1~16.04.0)
|
|
yakkety |
Ignored
(reached end-of-life)
|
|
zesty |
Ignored
(reached end-of-life)
|