Description
Cross-site request forgery (CSRF) vulnerability in Drupal 7.12 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the user/logout URI. NOTE: the vendor disputes the significance of this issue, by considering the "security benefit against platform complexity and performance impact" and concluding that a change to the logout behavior is not planned because "for most sites it is not worth the trade-off.
Exploits (1)
References (5)
Core 5
Core References
Various Sources x_refsource_misc
http://ivanobinetti.blogspot.it/2012/03/drupal-cms-712-latest-stable-release.html
Vendor Advisory x_refsource_misc
http://groups.drupal.org/node/216314
Vendor Advisory x_refsource_misc
http://drupal.org/node/144538
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/18564/
Exploit x_refsource_misc
http://packetstormsecurity.org/files/110404/drupal712-xsrf.txt
Scores
EPSS
0.0169
EPSS Percentile
82.4%
Details
CWE
CWE-352
Status
published
Products (49)
drupal/drupal
4.0
drupal/drupal
4.0.0
drupal/drupal
4.1.0
drupal/drupal
4.2.0_rc
drupal/drupal
4.4
drupal/drupal
4.4.0
drupal/drupal
4.4.1
drupal/drupal
4.4.2
drupal/drupal
4.4.3
drupal/drupal
4.5
... and 39 more
Published
Mar 28, 2012
Tracked Since
Feb 18, 2026