Drupal JSON API Module Cross Site Request Forgery Vulnerability

Bugtraq ID:	104004
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Apr 25 2018 12:00AM
Updated:	Apr 25 2018 12:00AM
Credit:	Mateu Aguiló Bosch (e0ipso)
Vulnerable:	Drupal JSON API 8.x-1.9 Drupal JSON API 8.x-1.8 Drupal JSON API 8.x-1.7 Drupal JSON API 8.x-1.6 Drupal JSON API 8.x-1.5 Drupal JSON API 8.x-1.4 Drupal JSON API 8.x-1.3 Drupal JSON API 8.x-1.2 Drupal JSON API 8.x-1.15 Drupal JSON API 8.x-1.14 Drupal JSON API 8.x-1.13 Drupal JSON API 8.x-1.12 Drupal JSON API 8.x-1.11 Drupal JSON API 8.x-1.10 Drupal JSON API 8.x-1.1 Drupal JSON API 8.x-1.0
Not Vulnerable:	Drupal JSON API 8.x-1.16

Drupal JSON API Module Cross Site Request Forgery Vulnerability

JSON API module for Drupal is prone to a cross-site request-forgery vulnerability.

An attacker can exploit this issue to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.

JSON API 8.x versions prior to 8.x-1.16 are vulnerable; other versions may also be affected.

Drupal JSON API Module Cross Site Request Forgery Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Drupal JSON API Module Cross Site Request Forgery Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Drupal JSON API Module Cross Site Request Forgery Vulnerability

References:

• Drupal Homepage (Drupal)
  
• SA-CONTRIB-2018-021: JSON API - Moderately critical - Cross Site Request Forgery (Drupal)