View online: https://www.drupal.org/sa-contrib-2024-024
Project: Migrate queue importer [1] Date: 2024-May-29 Security risk: *Moderately critical* 10∕25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery
Affected versions: <2.1.1 Description: The Migrate queue importer module enables you to create cron migrations(configuration entities) with a reference towards migration entities in order to import them during cron runs.
The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to enable/disable a cron migration.
This vulnerability is mitigated by the fact that an attacker must know the id of the migration.
Solution: Install the latest version:
* If you use Migrate queue importer module for Drupal 10, upgrade to Migrate queue importer 2.1.1 [3]
Reported By: * Pierre Rudloff [4]
Fixed By: * David Bätge [5] * Pierre Rudloff [6]
Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team
[1] https://www.drupal.org/project/migrate_queue_importer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/migrate_queue_importer/releases/2.1.1 [4] https://www.drupal.org/user/3611858 [5] https://www.drupal.org/user/2526160 [6] https://www.drupal.org/user/3611858 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/272316