Detailed response to publicly posted CSRF concerns in Drupal 7.12
Posted by greggles on March 9, 2012 at 6:24pm
Several sources are publishing a supposed vulnerability in Drupal. One source is the security site Packet Storm Security and attached here. This post is a response to that issue.
Summary
The Drupal Security team has concluded that this does not constitute a valid vulnerability. The attack depends on a "Man In the Middle" attack or sniffing software, which is outside of Drupal and presents a much bigger risk.
Read more