SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

By Drupal Security Team on 2 May 2012 at 14:09 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2012-068
Project: Node Gallery (third-party module)
Version: 6.x
Date: 2012-May-02
Security risk: Less critical
Exploitable from: Remote
Vulnerability: Cross Site Request Forgery

Description

CVE: CVE-2012-2305

Node gallery enable users to create a more flexible and powerful gallery that are fully integrated with Drupal's core node system.
This module does not protect a CSRF attack when creating node galleries.

Versions affected

6.x-3.1 and before

Drupal core is not affected. If you do not use the contributed Node Gallery module, there is nothing you need to do.

Solution

Uninstall the module, this module is no longer supported.

Also see the Node Gallery project page.

Reported by

Andrew Berry

Coordinated by

Michael Hess of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

SA-CONTRIB-2012-068 - Node Gallery - Cross Site Request Forgery (CSRF) - Unsupported

Description

Versions affected

Solution

Reported by

Coordinated by

Contact and More Information

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community