FreeBSD : drupal -- cross site request forgery (4451a4c9-c05e-11dc-982e-001372fd0af2)
Medium Nessus Plugin ID 29950
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionThe Drupal Project reports :
The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries.
For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.
SolutionUpdate the affected packages.