PT-2008-2197 · Drupal · Userpoints Module
Greg Knaddison
+1
·
Published
2008-02-05
·
Updated
2011-03-08
·
CVE-2008-0571
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Userpoints module for Drupal versions 4.7.x before 4.7.x-2.3
Userpoints module for Drupal versions 5.x-2 before 5.x-2.16
Userpoints module for Drupal versions 5.x-3 before 5.x-3.3
Description
The issue concerns the point moderation form in the Userpoints module for Drupal, which does not adhere to Drupal's Forms API submission model. This allows remote attackers to conduct cross-site request forgery (CSRF) attacks, enabling them to manipulate points.
Recommendations
For Userpoints module for Drupal version 4.7.x, update to version 4.7.x-2.3 or later.
For Userpoints module for Drupal version 5.x-2, update to version 5.x-2.16 or later.
For Userpoints module for Drupal version 5.x-3, update to version 5.x-3.3 or later.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Userpoints Module