Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2012-059

HistoryApr 11, 2012 - 12:00 a.m.

SA-CONTRIB-2012-059 - Autosave - Cross Site Request Forgery

2012-04-1100:00:00

Drupal Security Team

www.drupal.org

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.967 High

EPSS

Percentile

99.7%

JSON

CVE: CVE-2012-2097

This module enables snapshots of your node edit form to be saved in the background while you are editing to help prevent the data from being lost.

The module doesn’t sufficiently protect against a user being tricked into submitting saved results to a node.

Versions affected

Autosave 6.x versions prior to 6.x-2.10

Drupal core is not affected. If you do not use the contributed Autosave module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Autosave module for Drupal 6.x, upgrade to Autosave 6.x-2.10

Also see the Autosave project page.

Reported by

Ryan Jud Hughes

Fixed by

liquidcms the module maintainer
Crell the module maintainer

Coordinated by

Michael Hess of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

References

drupal.org/contact

drupal.org/node/1525998

drupal.org/project/autosave

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/102818

drupal.org/user/26398

drupal.org/user/36762

drupal.org/user/44114

drupal.org/writing-secure-code

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.967 High

EPSS

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2012-059