High severity7.5NVD Advisory· Published Mar 16, 2017· Updated May 13, 2026
CVE-2017-6379
CVE-2017-6379
Description
Some administrative paths in Drupal 8.2.x before 8.2.7 did not include protection for CSRF. This would allow an attacker to disable some blocks on a site. This issue is mitigated by the fact that users would have to know the block ID.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/corePackagist | >= 8.2.0, < 8.2.7 | 8.2.7 |
drupal/drupalPackagist | >= 8.2.0, < 8.2.7 | 8.2.7 |
Affected products
13cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:drupal:drupal:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:8.2.6:*:*:*:*:*:*:*
- Drupal/Drupal Corev5Range: 8.2.x versions before 8.2.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-gxxq-fhc7-3jv9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-6379ghsaADVISORY
- www.drupal.org/SA-2017-001nvdRelease NotesThird Party AdvisoryWEB
- www.securityfocus.com/bid/96919nvdWEB
- www.securitytracker.com/id/1038058nvdWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/CVE-2017-6379.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/CVE-2017-6379.yamlghsaWEB
News mentions
0No linked articles in our index yet.