View online: https://www.drupal.org/sa-contrib-2024-024

Project: Migrate queue importer [1] Date: 2024-May-29 Security risk: *Moderately critical* 10∕25 AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery

Affected versions: <2.1.1 Description:  The Migrate queue importer module enables you to create cron migrations(configuration entities) with a reference towards migration entities in order to import them during cron runs.

The module doesn't sufficiently protect against Cross Site Request Forgery under specific scenarios allowing an attacker to enable/disable a cron migration.

This vulnerability is mitigated by the fact that an attacker must know the id of the migration.

Solution:  Install the latest version:

* If you use Migrate queue importer module for Drupal 10, upgrade to Migrate queue importer 2.1.1 [3]

Reported By:  * Pierre Rudloff [4]

Fixed By:  * David Bätge [5] * Pierre Rudloff [6]

Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team * Juraj Nemec [8] of the Drupal Security Team

[1] https://www.drupal.org/project/migrate_queue_importer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/migrate_queue_importer/releases/2.1.1 [4] https://www.drupal.org/user/3611858 [5] https://www.drupal.org/user/2526160 [6] https://www.drupal.org/user/3611858 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/272316