Problem/Motivation
This has been publicly disclosed, hence we are fixing in public instead of in the private security team tracker.
reported by Fernando_Arnaboldi
An attacker may force an admin to check for updates due to a cross site request forgery vulnerability on the update functionality
- Drupal 6: affected
http://mysite/?q=admin/reports/updates/check
- Drupal 7: affected
?q=admin/reports/updates/check
?q=admin/reports/updates
Proposed resolution
Add CSRF token protection to those menu routes
Remaining tasks
write patch
User interface changes
n/a
API changes
n/a
Data model changes
n/a