CVE-2012-2069

Cross-site request forgery (CSRF) vulnerability in the Wishlist module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.6 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via the (1) wl_reveal or (2) q parameters.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
mclewinwishlist
6.x-2.1:x
mclewinwishlist
6.x-2.2:x
mclewinwishlist
6.x-2.4:x
mclewinwishlist
7.x-2.5:x
mclewinwishlist
7.x-2.x:x
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://drupal.org/node/1483634
http://drupal.org/node/1483636
http://drupal.org/node/1492624
http://drupalcode.org/project/wishlist.git/commit/6660c33
http://drupalcode.org/project/wishlist.git/commit/73aaf98
http://secunia.com/advisories/48486
http://www.madirish.net/content/drupal-wishlist-6x-24-xss-vulnerability
http://www.openwall.com/lists/oss-security/2012/04/07/1
http://www.securityfocus.com/bid/52660
http://drupal.org/node/1483634
http://drupal.org/node/1483636
http://drupal.org/node/1492624
http://drupalcode.org/project/wishlist.git/commit/6660c33
http://drupalcode.org/project/wishlist.git/commit/73aaf98
http://secunia.com/advisories/48486
http://www.madirish.net/content/drupal-wishlist-6x-24-xss-vulnerability
http://www.openwall.com/lists/oss-security/2012/04/07/1
http://www.securityfocus.com/bid/52660