Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2015-017: Forum Module CSRF Vulnerability

Critical (?)
Versions Affected:
0.6.1 and below, 0.7.0 to 0.7.3
Versions Fixed:
0.6.2, 0.7.4, 0.8.0
Release Date:

A number of form actions in the Forum module are directly accessible. A malicious user (e.g. spammer) can use GET requests to create Members and post to forums, bypassing CSRF and anti-spam measures.

Additionally, a forum moderator could be tricked into clicking a specially crafted URL, resulting in a topic being moved.

Thanks to Michael Strong for discovering.

Common Vulnerability Scoring System (VCSS) Information