CVE-2017-6379

7.5HIGH

Key Information

Vendor: Drupal
Status: Drupal Core
Vendor: CVE Published:; 16 March 2017

Summary

Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.

Affected Version(s)

Drupal Core = 8.2.x versions before 8.2.7

Refferences

http://www.securitytracker.com/id/1038058

vdb-entryx_refsource_SECTRACK

https://www.drupal.org/SA-2017-001

x_refsource_CONFIRM

http://www.securityfocus.com/bid/96919

vdb-entryx_refsource_BID

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 16, 2017
Vulnerability Reserved
Feb 28, 2017

Collectors

NVD DatabaseMitre Database