* Advisory ID: DRUPAL-SA-CONTRIB-2009-025 * Project: Fivestar (third-party module) * Version: 5.x, 6.x * Date: 2009-April-29 * Security risk: Not critical * Exploitable from: Remote * Vulnerability: Cross-site request forgery -------- DESCRIPTION --------------------------------------------------------- The Fivestar module provides a voting widget for content and records votes using Ajax. The URL used by the javascript to register votes is vulnerable to cross-site request forgeries (CSRF [1]) making it possible for users to unknowingly vote for content. -------- VERSIONS AFFECTED --------------------------------------------------- * Fivestar 5.x-1.x prior to 5.x-1.14 * Fivestar 6.x-1.x prior to 6.x-1.14 Drupal core is not affected. If you do not use the contributed Fivestar module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use Fivestar 5.x-1.x upgrade to Fivestar 5.x-1.14 [2] * If you use Fivestar 6.x-1.x upgrade to Fivestar 6.x-1.14 [3] See also the Fivestar project page [4]. -------- REPORTED BY --------------------------------------------------------- John Morahan [5] of the Drupal security team. -------- FIXED BY ------------------------------------------------------------ Nate Haug (quicksketch) [6] and Moshe Weitzman [7]. -------- CONTACT ------------------------------------------------------------- The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://en.wikipedia.org/wiki/Csrf [2] http://drupal.org/node/449028 [3] http://drupal.org/node/449026 [4] http://drupal.org/project/fivestar [5] http://drupal.org/user/58170 [6] http://drupal.org/user/35821 [7] http://drupal.org/user/23