CVE-2007-5594

Drupal < 5.3 - CSRF

Title source: rule

Description

Drupal 5.x before 5.3 does not apply its Drupal Forms API protection against the user deletion form, which allows remote attackers to delete users via a cross-site request forgery (CSRF) attack.

References (6)

[Patch, Vendor Advisory] http://drupal.org/node/184348

[Third Party Advisory] http://secunia.com/advisories/27290

[Third Party Advisory] http://secunia.com/advisories/27352

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/26119

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/37268

[Third Party Advisory] https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00328.html

Scores

EPSS 0.0051

EPSS Percentile 65.9%

Classification

CWE

CWE-352

Status draft

Affected Products (2)

drupal/drupal < 5.3

fedoraproject/fedora

Timeline

Published Oct 19, 2007

Tracked Since Feb 18, 2026