cvedb.io
CVE-2015-6660
UNKNOWN · CVSS n/a
EPSS exploitation probability: 0%
Published 2015-08-24T14:59:17.540 · Last modified 2026-06-17T00:31:12.023

Summary

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."

Affected products

drupal — drupal

Does this affect you?

Add your gear to cvedb and we'll alert you only when drupal ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.