View online: https://www.drupal.org/sa-contrib-2017-091
Project: Configuration Update Manager [1] Version: 8.x-1.4 Date: 2017-December-06 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Request Forgery (CSRF)
Description: The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.
This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.
This vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.
Solution: Install the latest version:
* If you use the Configuration Update Manager module and its Reports sub-module for Drupal 8.x, upgrade to Configuration Update Manager version 8.x-1.5 [3]
Alternatively, you could remove the permission "import configuration" from all roles on the site, or uninstall the Configuration Update Reports sub-module from your production sites.
Also see the Configuration Update Manager [4] project page.
Reported By: * Jean-Francois Hovinne [5]
Fixed By: * Jennifer Hodgdon [6] the module maintainer
Coordinated By: * Greg Knaddison [7] of the Drupal Security Team * Lee Rowlands [8] of the Drupal Security Team
[1] https://www.drupal.org/project/config_update [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/config_update/releases/8.x-1.5 [4] https://www.drupal.org/project/config_update [5] https://www.drupal.org/u/jfhovinne [6] https://www.drupal.org/u/jhodgdon [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/larowlan