View online: https://www.drupal.org/sa-contrib-2025-017

Project: Configuration Split [1] Date: 2025-February-12 Security risk: *Moderately critical* 12 ∕ 25 AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Request Forgery

Affected versions: <1.10.0 || >=2.0.0 <2.0.2 Description:  This module enables you to create super sets of configuration and enable them conditionally, for example have some modules installed only in some environments.

The module does not use Cross Site Request Forgery (CSRF) tokens to protect routes for enabling or disabling a split.

This vulnerability is mitigated by the fact that an attacker must know the machine name of a split and deceive a user with the permission to modify it. The status only takes effect when exporting the configuration (1.x and 2.x) or importing the configuration (1.x only) and the status is not fixed via configuration override, which is the typical setup.

Solution:  Install the latest version:

* If you use the Config Split module 8.x-1.x, upgrade to Config Split 8.x-1.10 [3] * If you use the Config Split module 2.0.x, upgrade to Config Split 2.0.2 [4]

Reported By:  * Eric Smith (ericgsmith) [5]

Fixed By:  * Fabian Bircher (bircher) [6]

Coordinated By:  * Greg Knaddison (greggles) [7] of the Drupal Security Team

[1] https://www.drupal.org/project/config_split [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/node/3506063 [4] https://www.drupal.org/node/3506064 [5] https://www.drupal.org/u/ericgsmith [6] https://www.drupal.org/u/bircher [7] https://www.drupal.org/u/greggles