View online: https://www.drupal.org/sa-contrib-2024-048
Project: Gutenberg [1] Date: 2024-October-09 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Request Forgery
Affected versions: <2.13.0 || >=3.0.0 <3.0.5 Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.
The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.
This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the "use gutenberg" permission.
Solution: Install the latest version:
* If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.13 [3] * If you use the Gutenberg module versions 3.0.x, upgrade to Gutenberg 3.0.5 [4]
Reported By: * Mingsong [5]
Fixed By: * Mingsong [6] * Lee Rowlands [7] of the Drupal Security Team * Eirik Morland [8] * Stephan Zeidler [9] * Cathy Theys [10] of the Drupal Security Team * codebymikey [11] * Marco Fernandes [12]
Coordinated By: * Greg Knaddison [13] of the Drupal Security Team * Juraj Nemec [14] of the Drupal Security Team
[1] https://www.drupal.org/project/gutenberg [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gutenberg/releases/8.x-2.13 [4] https://www.drupal.org/project/gutenberg/releases/3.0.5 [5] https://www.drupal.org/user/2986445 [6] https://www.drupal.org/user/2986445 [7] https://www.drupal.org/user/395439 [8] https://www.drupal.org/user/1014468 [9] https://www.drupal.org/user/767652 [10] https://www.drupal.org/user/258568 [11] https://www.drupal.org/user/3573206 [12] https://www.drupal.org/user/2127558 [13] https://www.drupal.org/u/greggles [14] https://www.drupal.org/u/poker10