• Advisory ID: DRUPAL-SA-CONTRIB-2009-025
  • Project: Fivestar (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-April-29
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Cross-site request forgery


The Fivestar module provides a voting widget for content and records votes using Ajax.

The URL used by the javascript to register votes is vulnerable to cross-site request forgeries (CSRF) making it possible for users to unknowingly vote for content.

Versions affected

  • Fivestar 5.x-1.x prior to 5.x-1.14
  • Fivestar 6.x-1.x prior to 6.x-1.14

Drupal core is not affected. If you do not use the contributed Fivestar module, there is nothing you need to do.


Install the latest version:

See also the Fivestar project page.

Reported by

John Morahan of the Drupal security team.

Fixed by

Nate Haug (quicksketch) and Moshe Weitzman.


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.