Drupal Wishlist Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities

The Wishlist module for Drupal is prone to a cross-site request-forgery vulnerability and a cross-site scripting vulnerability.

An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or perform unauthorized actions. Other attacks may also be possible.


Bugtraq ID: 72114
Class: Input Validation Error
CVE: CVE-2015-3355

Remote: Yes
Local: No
Published: Jan 14 2015 12:00AM
Updated: Apr 12 2019 07:00PM
Credit: Pere Orga
Vulnerable: Drupal wishlist 7.x-2.6
Drupal wishlist 6.X-2.6

Not Vulnerable: Drupal wishlist 7.x-2.7
Drupal wishlist 6.X-2.7


An attacker must trick an unsuspecting victim into following a malicious URI to exploit these issues.

Related Posts