CVE-2015-4364

Name of the Vulnerable Software and Affected Versions Campaign Monitor module versions 7.x-1.0

Description The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the Campaign Monitor module for Drupal. These vulnerabilities allow remote attackers to hijack the authentication of users for specific requests. The affected requests include enabling list subscriptions via "admin/config/services/campaignmonitor/lists/%/enable" and disabling list subscriptions via "admin/config/services/campaignmonitor/lists/%/disable". It is crucial to note that this issue affects the Campaign Monitor module for Drupal, not the Campaign Monitor software itself.

Recommendations For Campaign Monitor module version 7.x-1.0, consider disabling the includes/campaignmonitor lists.admin.inc file or restricting access to the affected API endpoints "admin/config/services/campaignmonitor/lists/%/enable" and "admin/config/services/campaignmonitor/lists/%/disable" until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.