Drupal Prepopulate Module vulnerabilities

Two vulnerabilities have been reported in the Prepopulate module for Drupal, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site request forgery attacks, according to Secunia.

1. Input passed via the Prepopulate form is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user’s browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation of this vulnerability requires permissions to use forms with certain form fields.

2. The application’s web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to submit unspecified values in a form by tricking a logged in user into visiting a malicious web site.

The vulnerability is reported in versions prior to 6.x-2.2.