CVE-2012-2097

medium

Published 2012-08-14 · Modified 2026-04-29

CVSS v3

—

CVSS v2

6.8

VIR risk

6.8

Description

Cross-site request forgery (CSRF) vulnerability in the Autosave module 6.x before 6.x-2.10 and 7.x-2.x before 7.x-2.0 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests involving "submitting saved results to a node."

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://drupalcode.org/project/autosave.git/commitdiff/f7bfd2d

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://drupalcode.org/project/autosave.git/commitdiff/39f7fb0

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://drupal.org/node/1528906

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://drupal.org/node/1528864

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://drupal.org/node/1525998

Application impact

Vendor	Product	Versions
larry_garfield	autosave	`{"endIncluding":"6.x-2.9"}`
larry_garfield	autosave	`6.x-2.0`
larry_garfield	autosave	`6.x-2.1`
larry_garfield	autosave	`6.x-2.2`
larry_garfield	autosave	`6.x-2.3`
larry_garfield	autosave	`6.x-2.4`
larry_garfield	autosave	`6.x-2.5`
larry_garfield	autosave	`6.x-2.6`
larry_garfield	autosave	`6.x-2.7`
larry_garfield	autosave	`6.x-2.8`
larry_garfield	autosave	`6.x-2.x`
larry_garfield	autosave	`7.x-2.x`
drupal	drupal	`-`

References

CWEs

CWE-352

Verify integrity in audit chain (admin only). AS-IS.