CSRF attack in Drupal Heartbeat
Impact: Cross Site Scripting
– Drupal Heartbeat Module 6.x;
– Drupal Heartbeat Module 7.x
Affected versions: Drupal Heartbeat version to 6.x-4.12, possibly earlier.
Drupal Heartbeat version to 7.x-1.1, maybe earlier.
The vulnerability allows malicious people to conduct XSS attacks.
The vulnerability is caused due to the lack of authentication of HTTP requests when you perform some action. A remote user can perform CSRF attack and post a comment.
Manufacturer URL: http://drupal.org/project/heartbeat
Solution: Install the update from the manufacturer.