• Advisory ID: DRUPAL-SA-CONTRIB-2010-056
  • Project: User Queue (third-party module)
  • Versions: 6.x
  • Date: 2010-May-19
  • Security risk: Less Critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site Request Forgery

Description

The User Queue module allows you to create multiple queues, add users to them, and order the users within the queue. The module is vulnerable to cross-site request forgeries (CSRF) via the URL used to delete users from the queue. A user with "administer user queues" permission could be manipulated into requesting this URL and removing any user from the queue.

Versions affected

  • User Queue module for Drupal 6.x version prior to 6.x-1.1.

Drupal core is not affected. If you do not use the contributed User Queue module, there is nothing you need to do.

Solution

Install the latest version.

See also the User Queue project page.

Reported by

Fixed by

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.