View online: https://www.drupal.org/sa-contrib-2024-024 Project: Migrate queue importer [1] Date: 2024-May-29 Security risk: *Moderately critical* 10∕25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery Affected versions: <2.1.1 Description: The Migrate queue importer module enables you to create cron migrations(configuration entities) with a reference towards migration entities in order to import them during cron runs. The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to enable/disable a cron migration. This vulnerability is mitigated by the fact that an attacker must know the id of the migration. Solution: Install the latest version: * If you use Migrate queue importer module for Drupal 10, upgrade to Migrate queue importer 2.1.1 [3] Reported By: * Pierre Rudloff [4] Fixed By: * David Bätge [5] * Pierre Rudloff [6] Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team [1] https://www.drupal.org/project/migrate_queue_importer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/migrate_queue_importer/releases/2.1.1 [4] https://www.drupal.org/user/3611858 [5] https://www.drupal.org/user/2526160 [6] https://www.drupal.org/user/3611858 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/272316