CVE-2012-1057

Current Description

Cross-site request forgery (CSRF) vulnerability in the clickthrough tracking functionality in the Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that increase node rankings via the tracking code, possibly related to improper "flood control."

Basic Data

PublishedFebruary 14, 2012
Last ModifiedAugust 29, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-352
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.0
SeverityMEDIUM
Exploitability Score6.8
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • AND
    • OR - Configuration 1
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationSean RobertsonForward6.x-1.0*******
      2.3ApplicationSean RobertsonForward6.x-1.1*******
      2.3ApplicationSean RobertsonForward6.x-1.2*******
      2.3ApplicationSean RobertsonForward6.x-1.3*******
      2.3ApplicationSean RobertsonForward6.x-1.4*******
      2.3ApplicationSean RobertsonForward6.x-1.5*******
      2.3ApplicationSean RobertsonForward6.x-1.6*******
      2.3ApplicationSean RobertsonForward6.x-1.7*******
      2.3ApplicationSean RobertsonForward6.x-1.8*******
      2.3ApplicationSean RobertsonForward6.x-1.9*******
      2.3ApplicationSean RobertsonForward6.x-1.10*******
      2.3ApplicationSean RobertsonForward6.x-1.11*******
      2.3ApplicationSean RobertsonForward6.x-1.12*******
      2.3ApplicationSean RobertsonForward6.x-1.13*******
      2.3ApplicationSean RobertsonForward6.x-1.14*******
      2.3ApplicationSean RobertsonForward6.x-1.15*******
      2.3ApplicationSean RobertsonForward6.x-1.16*******
      2.3ApplicationSean RobertsonForward6.x-1.17*******
      2.3ApplicationSean RobertsonForward6.x-1.18*******
      2.3ApplicationSean RobertsonForward6.x-1.19*******
      2.3ApplicationSean RobertsonForward6.x-1.20*******
      2.3ApplicationSean RobertsonForward6.x-1.x-dev*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationDrupalDrupal********
  • AND
    • OR - Configuration 2
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationSean RobertsonForward7.x-1.0*******
      2.3ApplicationSean RobertsonForward7.x-1.0alpha1******
      2.3ApplicationSean RobertsonForward7.x-1.0alpha2******
      2.3ApplicationSean RobertsonForward7.x-1.0alpha3******
      2.3ApplicationSean RobertsonForward7.x-1.0rc1******
      2.3ApplicationSean RobertsonForward7.x-1.0rc2******
      2.3ApplicationSean RobertsonForward7.x-1.0rc3******
      2.3ApplicationSean RobertsonForward7.x-1.0rc4******
      2.3ApplicationSean RobertsonForward7.x-1.1*******
      2.3ApplicationSean RobertsonForward7.x-1.2*******
      2.3ApplicationSean RobertsonForward7.x-1.x-dev*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationDrupalDrupal********

Vulnerable Software List

VendorProductVersions
Sean Robertson Forward 6.x-1.0, 6.x-1.1, 6.x-1.10, 6.x-1.11, 6.x-1.12, 6.x-1.13, 6.x-1.14, 6.x-1.15, 6.x-1.16, 6.x-1.17, 6.x-1.18, 6.x-1.19, 6.x-1.2, 6.x-1.20, 6.x-1.3, 6.x-1.4, 6.x-1.5, 6.x-1.6, 6.x-1.7, 6.x-1.8, 6.x-1.9, 6.x-1.x-dev, 7.x-1.0, 7.x-1.1, 7.x-1.2, 7.x-1.x-dev

References

NameSourceURLTags
http://drupal.org/node/1423722http://drupal.org/node/1423722CONFIRMPATCH
http://drupal.org/node/1425150http://drupal.org/node/1425150CONFIRMPATCH Vendor Advisory
http://drupalcode.org/project/forward.git/commitdiff/72158fdbfbf5a068938985e3d10ce1d8f969d9c3http://drupalcode.org/project/forward.git/commitdiff/72158fdbfbf5a068938985e3d10ce1d8f969d9c3CONFIRM
78817http://osvdb.org/78817OSVDB
47851http://secunia.com/advisories/47851SECUNIAVendor Advisory
51826http://www.securityfocus.com/bid/51826BID
drupal-forward-unspecified-csrf(72922)https://exchange.xforce.ibmcloud.com/vulnerabilities/72922XF