- Advisory ID: DRUPAL-SA-CONTRIB-2010-056
- Project: User Queue (third-party module)
- Versions: 6.x
- Date: 2010-May-19
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Cross-site Request Forgery
Description
The User Queue module allows you to create multiple queues, add users to them, and order the users within the queue. The module is vulnerable to cross-site request forgeries (CSRF) via the URL used to delete users from the queue. A user with "administer user queues" permission could be manipulated into requesting this URL and removing any user from the queue.
Versions affected
- User Queue module for Drupal 6.x version prior to 6.x-1.1.
Drupal core is not affected. If you do not use the contributed User Queue module, there is nothing you need to do.
Solution
Install the latest version.
- If you use the User Queue module for Drupal 6.x upgrade to User Queue 6.x-1.1
See also the User Queue project page.
Reported by
Fixed by
- Matt Johnson, the module maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.