[Security-news] Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014
security-news at drupal.org
security-news at drupal.org
Wed Feb 28 19:05:40 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-014
Project: Drupal Symfony Mailer Lite [1]
Date: 2024-February-28
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Request Forgery
Affected versions: <1.0.6
Description:
The module doesn’t sufficiently protect against malicious links, which
means an attacker can trick an administrator into performing unwanted
actions.
This vulnerability is mitigated by the fact that the set of unwanted actions
is limited to specific configurations.
Solution:
Upgrade to Symfony Mailer Lite 1.0.6 [3] and rebuild Drupal's cache.
Reported By:
* Mingsong [4]
Fixed By:
* Lee Rowlands [5] of the Drupal Security Team
* Wayne Eaker [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
* Juraj Nemec [8] of the Drupal Security Team
* Lee Rowlands [9] of the Drupal Security Team
[1] https://www.drupal.org/project/symfony_mailer_lite
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer_lite/releases/1.0.6
[4] https://www.drupal.org/user/2986445
[5] https://www.drupal.org/user/395439
[6] https://www.drupal.org/user/326925
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/272316
[9] https://www.drupal.org/user/395439
More information about the Security-news
mailing list