-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIA Semantic Attack on Google Gemini - Read the Latest Research
A Semantic Attack on Google Gemini - Read the Latest Research
Miggo AI
Miggo AIRoot Cause AnalysisThe vulnerability stems from missing CSRF protection on administrative block management endpoints. In Drupal's architecture, the BlockController::disable method handles block disabling operations. Prior to 8.2.7, the corresponding route definition (block.disable) did not require a CSRF token, making POST requests to this endpoint vulnerable to forgery. This matches the advisory's description of unprotected administrative paths and the CWE-352 classification. The confidence is high as this aligns with Drupal's security patterns where sensitive operations require _csrf_token route requirements, which were added in the patched version.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| drupal/core | composer | >= 8.2.0, < 8.2.7 | 8.2.7 |
| drupal/drupal | composer | >= 8.2.0, < 8.2.7 | 8.2.7 |