SA-CONTRIB-2012-069 - Addressbook - Multiple vulnerabilities - Unsupported

• Advisory ID: DRUPAL-SA-CONTRIB-2012-069
• Project: Addressbook (third-party module)
• Version: 6.x
• Date: 2012-May-02
• Security risk: Highly critical
• Exploitable from: Remote
• Vulnerability: Cross Site Scripting, Cross Site Request Forgery, SQL Injection

Description

This module contains a simple addressbook.
The module has multiple issues including SQL Injection and Cross Site Request Forgery.

For the SQL Injection issue -
CVE: CVE-2012-2306
For the CSRF issue -
CVE: CVE-2012-2307

Versions affected

• 6.x-4.2 and before

Drupal core is not affected. If you do not use the contributed Addressbook module, there is nothing you need to do.

Solution

This module is not supported. Uninstall the module.

Also see the Addressbook project page.

Reported by

• Michael Hess of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.