SS-2015-017: Forum Module CSRF Vulnerability
- Severity:
- Critical (?)
- Identifier:
- ss-2015-017
- Versions Affected:
- 0.6.1 and below, 0.7.0 to 0.7.3
- Versions Fixed:
- 0.6.2, 0.7.4, 0.8.0
- Release Date:
- 2015-08-10
A number of form actions in the Forum module are directly accessible. A malicious user (e.g. spammer) can use GET requests to create Members and post to forums, bypassing CSRF and anti-spam measures.
Additionally, a forum moderator could be tricked into clicking a specially crafted URL, resulting in a topic being moved.
Thanks to Michael Strong for discovering.