Unrated severityNVD Advisory· Published Aug 24, 2015· Updated May 6, 2026

CVE-2015-6660

Description

The Form API in Drupal 6.x before 6.37 and 7.x before 7.39 does not properly validate the form token, which allows remote attackers to conduct CSRF attacks that upload files in a different user's account via vectors related to "file upload value callbacks."

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.drupal.org/SA-CORE-2015-003nvdPatchVendor Advisory
lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.htmlnvd
lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.htmlnvd
lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.htmlnvd
lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.htmlnvd
lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.htmlnvd
lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.htmlnvd
www.debian.org/security/2015/dsa-3346nvd
www.securitytracker.com/id/1033358nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000