- Advisory ID: DRUPAL-SA-CONTRIB-2009-025
- Project: Fivestar (third-party module)
- Version: 5.x, 6.x
- Date: 2009-April-29
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Cross-site request forgery
Description
The Fivestar module provides a voting widget for content and records votes using Ajax.
The URL used by the javascript to register votes is vulnerable to cross-site request forgeries (CSRF) making it possible for users to unknowingly vote for content.
Versions affected
- Fivestar 5.x-1.x prior to 5.x-1.14
- Fivestar 6.x-1.x prior to 6.x-1.14
Drupal core is not affected. If you do not use the contributed Fivestar module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Fivestar 5.x-1.x upgrade to Fivestar 5.x-1.14
- If you use Fivestar 6.x-1.x upgrade to Fivestar 6.x-1.14
See also the Fivestar project page.
Reported by
John Morahan of the Drupal security team.
Fixed by
Nate Haug (quicksketch) and Moshe Weitzman.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.