[Security-news] Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031
security-news at drupal.org
security-news at drupal.org
Wed Jul 26 20:05:01 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-031
Project: Drupal Symfony Mailer [1]
Date: 2023-July-26
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site request forgery
Affected versions: <1.2.2 || >=1.3.0 <1.3.0-rc3
Description:
The module doesn’t sufficiently protect against malicious links, which
means an attacker can trick an administrator into performing unwanted
actions.
This vulnerability is mitigated by the fact that the set of unwanted actions
is limited to specific configurations.
Solution:
* If you use Drupal Symfony Mailer module v1.2.x, upgrade to v1.2.2 [3].
* If you use Drupal Symfony Mailer module v1.3.x, upgrade to v1.3.0-rc3
[4].
Reported By:
* Mingsong [5]
Fixed By:
* Mingsong [6]
* Adam Shepherd [7]
* Lee Rowlands [8] of the Drupal Security Team
[1] https://www.drupal.org/project/symfony_mailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer/releases/1.2.2
[4] https://www.drupal.org/project/symfony_mailer/releases/1.3.0-rc3
[5] https://www.drupal.org/user/2986445
[6] https://www.drupal.org/user/2986445
[7] https://www.drupal.org/user/2650563
[8] https://www.drupal.org/user/395439
More information about the Security-news
mailing list