CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
EPSS
Percentile
99.7%
This module enables you to quickly toggle various user, node and field related settings via ajax links.
The recent 7.x-1.3 and 1.4 releases of the module include a rewrite of the access control which doesn’t correctly implement support for the user status (allow/block) link.
This vulnerability is mitigated by the fact that the administrator must enable the link in the fasttoggle configuration and allow user profiles to be viewed by anonymous or logged in users. For user 1 to be affected, the administrator must also enable the fasttoggle setting that allows that account to be blocked via fasttoggle.
All uses of the Fasttoggle module are logged, so any invocations of the exploit will be recorded. Accounts can only be blocked or unblocked via the exploit.
Drupal core is not affected. If you do not use the contributed Fasttoggle module,
there is nothing you need to do.
Install the latest version:
Also see the Fasttoggle project page.
drupal.org/contact
drupal.org/project/fasttoggle
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/writing-secure-code
www.drupal.org/node/2316065
www.drupal.org/u/dstol
www.drupal.org/user/250105
www.drupal.org/user/3064
www.drupal.org/user/760454