Drupal Wishlist Module Cross Site Request Forgery and Cross Site Scripting Vulnerabilities

The Wishlist module for Drupal is prone to a cross-site request-forgery vulnerability and a cross-site scripting vulnerability.

An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or perform unauthorized actions. Other attacks may also be possible.

Information

Bugtraq ID: 72114
Class: Input Validation Error
CVE: CVE-2015-3355
CVE-2015-3354

Remote: Yes
Local: No
Published: Jan 14 2015 12:00AM
Updated: Apr 12 2019 07:00PM
Credit: Pere Orga
Vulnerable: Drupal wishlist 7.x-2.6
Drupal wishlist 6.X-2.6

Not Vulnerable: Drupal wishlist 7.x-2.7
Drupal wishlist 6.X-2.7

Exploit

An attacker must trick an unsuspecting victim into following a malicious URI to exploit these issues.

References:

• Drupal Homepage (Drupal)
  
• Re: Re: CVEs for Drupal contributed modules - January 2015 (MITRE CVE Numbering Authority)
  
• Wishlist Module Homepage (Drupal)
  
• SA-CONTRIB-2015-014 - Wishlist - Multiple vulnerabilities (Drupal)
  

Source: www.securityfocus.com