1. Home
  2. CVE Database
  3. CVE-2015-6660
MEDIUM · 6.8

CVE-2015-6660

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's acco...

Vulnerability Description

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."

CVSS Score

6.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL

Affected Products

VendorProductVersions
DrupalDrupal6.0

Related Weaknesses (CWE)

CWE-352

References

FAQ

What is CVE-2015-6660?

CVE-2015-6660 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's acco...

How severe is CVE-2015-6660?

CVE-2015-6660 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-6660?

Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal.