View online: https://www.drupal.org/sa-contrib-2023-031

Project: Drupal Symfony Mailer [1] Date: 2023-July-26 Security risk: *Moderately critical* 12∕25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site request forgery

Affected versions: <1.2.2 || >=1.3.0 <1.3.0-rc3 Description:  The module doesn’t sufficiently protect against malicious links, which means an attacker can trick an administrator into performing unwanted actions.

This vulnerability is mitigated by the fact that the set of unwanted actions is limited to specific configurations.

Solution:  * If you use Drupal Symfony Mailer module v1.2.x, upgrade to v1.2.2 [3]. * If you use Drupal Symfony Mailer module v1.3.x, upgrade to v1.3.0-rc3 [4].

Reported By:  * Mingsong [5]

Fixed By:  * Mingsong [6] * Adam Shepherd [7] * Lee Rowlands [8] of the Drupal Security Team

[1] https://www.drupal.org/project/symfony_mailer [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/symfony_mailer/releases/1.2.2 [4] https://www.drupal.org/project/symfony_mailer/releases/1.3.0-rc3 [5] https://www.drupal.org/user/2986445 [6] https://www.drupal.org/user/2986445 [7] https://www.drupal.org/user/2650563 [8] https://www.drupal.org/user/395439