[Security-news] Cloud - Critical - CSRF - SA-CONTRIB-2017-086
security-news at drupal.org
security-news at drupal.org
Wed Nov 29 18:47:34 UTC 2017
View online: https://www.drupal.org/sa-contrib-2017-086
Project: Cloud [1]
Version: 7.x-1.x-dev
Date: 2017-November-29
Security risk: *Critical* 18∕25
AC:None/A:User/CI:Some/II:All/E:Theoretical/TD:All [2]
Vulnerability: CSRF
Description:
This module enables sites to manage public clouds like Amazon EC2 and also
private clouds like OpenStack.
The module doesn't sufficiently protect the deletion of audit reports,
thereby exposing a cross-site request vulnerability which can be exploited by
unprivileged users to trick an administrator into unwanted deletion of audit
reports.
This vulnerability is mitigated by the fact that the victim must have a role
with the permission "access audit report".
Solution:
Install the latest version:
* If you use the Cloud module for Drupal 7, upgrade to Cloud 7.x-1.7 [3]
Reported By:
* Tatar Balazs Janos [4]
Fixed By:
* Tatar Balazs Janos [5]
* Yas Naoi [6] the module maintainer
Coordinated By:
* Tatar Balazs Janos [7]
[1] https://www.drupal.org/project/cloud
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/cloud/releases/7.x-1.7
[4] https://www.drupal.org/u/tatarbj
[5] https://www.drupal.org/u/tatarbj
[6] https://www.drupal.org/u/yas
[7] https://www.drupal.org/u/tatarbj
More information about the Security-news
mailing list