View online: https://www.drupal.org/sa-contrib-2025-030-0
Project: ECA: Event - Condition - Action [1] Date: 2025-April-09 Security risk: *Critical* 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site request forgery
Affected versions: <1.1.12 || >=2.0.0 <2.0.16 || >=2.1.0 <2.1.7 || 1.2.* CVE IDs: CVE-2025-3131 Description: This module enables you to define automations on your Drupal site.
The module doesn't sufficiently protect certain routes from CSRF attacks.
This vulnerability is mitigated by the fact that an attacker must get a user with the permission "administer eca" to follow to a given site. It can also be mitigated by disabling the "eca_ui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be available.
Solution: Install the latest version:
* If you use the ECA module for Drupal 10 or 11, upgrade to ECA 1.1.12 [3] or ECA 2.0.16 [4] or ECA 2.1.7 [5]
Reported By: * Juraj Nemec (poker10) [6] of the Drupal Security Team
Fixed By: * Benji Fisher (benjifisher) [7] of the Drupal Security Team * Jürgen Haas (jurgenhaas) [8] * Lee Rowlands (larowlan) [9] of the Drupal Security Team
Coordinated By: * Greg Knaddison (greggles) [10] of the Drupal Security Team * Juraj Nemec (poker10) [11] of the Drupal Security Team
Security issue: https://git.drupalcode.org/security/9-eca-security/-/issues/1 [12]
[1] https://www.drupal.org/project/eca [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/eca/releases/1.1.12 [4] https://www.drupal.org/project/eca/releases/2.0.16 [5] https://www.drupal.org/project/eca/releases/2.1.7 [6] https://www.drupal.org/u/poker10 [7] https://www.drupal.org/u/benjifisher [8] https://www.drupal.org/u/jurgenhaas [9] https://www.drupal.org/u/larowlan [10] https://www.drupal.org/u/greggles [11] https://www.drupal.org/u/poker10 [12] https://git.drupalcode.org/security/9-eca-security/-/issues/1