The URL for deleting an answer does not protect against a cross-site forgery attack in which someone triggers an authenticated user into deleting their answer to a meeting poll.
For example, the URL for deleting an answer looks like /makemeeting/delete-answer/17
If an attacker embeds an img with the src equal to that URL and gets that person to view it, their browser will make a request to the URL and their answer will be deleted. You can read more about CSRF at http://drupalscout.com/knowledge-base/introduction-cross-site-request-fo...
You should use tokens as query parameters to the callback to protect against this.
(This doesn't appear to be an issue in the 1.x branches of the module and since the 2.x release isn't stable yet this can be discussed publicly in the issue queue.)
Comments
Comment #1
SebCorbin CreditAttribution: SebCorbin commentedThis should have been fixed with #1837220: Make edit and delete links rel="nofollow" and add a confirm message and http://drupalcode.org/project/makemeeting.git/blobdiff/cd6fddc55ed246e98...
DOes it still apply with the dev version?
Comment #2
btopro CreditAttribution: btopro commentedI think this won't be an issue because you have the form confirmation in there. Previously it would have so you'll probably have to issue a security notice, just catching up on the code here
Comment #3
coltraneYou are correct, this looks fixed in dev. Thanks!
Comment #4
SebCorbin CreditAttribution: SebCorbin commentedI agree with #2 next release will be a security one