An attacker could exploit this issue to force the user to login via CSRF if they have access to the backend system. In certain cases, it is possible to perform a remote code execution (RCE) attack. The following components were affected by this issue: - The system administrator profile - The administrator group - The Advanced settings module - The Enable/Disable Voting settings module - The Enable/Disable Poll settings module - The Global statistics module - The Search settings module - The Basic information component
A vulnerability was identified in Drupal 7 and has been fixed as of the release of this version.
The vulnerability in question was identified by a security researcher who found that the system administrator profile, administrator group, Advanced settings module, Enable/Disable Voting settings module, Enable/Disable Poll settings module and Global statistics module did not require CSRF protection.
System administrator profile
The system administrator profile allows the user to make changes to the backend. The following components were affected by this issue: - The system administrator profile - The administrator group
If an attacker can access a vulnerable system, they may be able to force the user's browser to make requests against the application. This could allow the attacker to perform a remote code execution (RCE) attack.