View online: https://www.drupal.org/sa-contrib-2024-014
Project: Drupal Symfony Mailer Lite [1] Date: 2024-February-28 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Request Forgery
Affected versions: <1.0.6 Description: The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.
This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.
Solution: Upgrade to Symfony Mailer Lite 1.0.6 [3] and rebuild Drupal's cache.
Reported By: * Mingsong [4]
Fixed By: * Lee Rowlands [5] of the Drupal Security Team * Wayne Eaker [6]
Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team * Lee Rowlands [9] of the Drupal Security Team
[1] https://www.drupal.org/project/symfony_mailer_lite [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/symfony_mailer_lite/releases/1.0.6 [4] https://www.drupal.org/user/2986445 [5] https://www.drupal.org/user/395439 [6] https://www.drupal.org/user/326925 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/272316 [9] https://www.drupal.org/user/395439