Timezone Detect – Moderately Critical – Cross Site Request Forgery – SA-CONTRIB-2017-020

Description

This module enables sites to automatically detect and set user timezones via JavaScript.

The module does not sufficiently protect against Cross-Site Request Forgery (CSRF): an attacker could use this vulnerability to manipulate a user’s timezone setting. The security implication of this issue depends on the site. It can range from minor annoyance to some level of a bigger bug on a site that relies on the timezone for some more important purpose.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Timezone Detect 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Timezone Detect module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Timezone Detect project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Leave a Reply