Bug 786856 (CVE-2012-0826) - CVE-2012-0826 drupal6, drupal7: XSRF in the Aggregator module (SA-CORE-2012-001)
Summary: CVE-2012-0826 drupal6, drupal7: XSRF in the Aggregator module (SA-CORE-2012-001)
Alias: CVE-2012-0826
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2012-02-02 15:26 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-03-14 01:24:53 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2012-02-02 15:26:15 UTC
A Cross Site Request Forgery (CSRF) flaw was found in the way the Aggregator module of Drupal, the content management system, performed retrieval of syndicated content from other websites. A remote attacker could provide a specially-crafted URL, which once visited by an unsuspecting Drupal user could lead to the Aggregator module to attempt to in unlimited way obtain feeds from remote websites, which in case the remote site enforced an upper bound / limit for count of feeds, which could be obtained during certain time interval, could lead to denial of service for the victim.

[1] http://drupal.org/node/1425084

Comment 1 Jan Lieskovsky 2012-02-02 15:34:48 UTC
This issue is scheduled to be corrected in the following drupal6 package
1) drupal6-6.24-1.el6  for Fedora EPEL 6,
2) drupal6-6.24-1.el5  for Fedora EPEL 5,
3) drupal6-6.24-1.fc15  for Fedora 15, 
4) drupal6-6.24-1.fc16  for Fedora 16.

Comment 2 Jan Lieskovsky 2012-02-02 15:40:30 UTC
This issue is scheduled to be corrected in the following drupal7 package updates:
1) drupal7-7.12-1.el6 for Fedora EPEL 6,
2) drupal7-7.12-1.el5 for Fedora EPEL 5,
3, drupal7-7.12-1.fc16 	for Fedora 16,
4) drupal7-7.12-1.fc15 	for Fedora 15.

Comment 3 Paul W. Frields 2012-03-14 01:24:53 UTC
These packages have been released for all Fedora and EPEL branches.

Note You need to log in before you can comment on or make changes to this bug.