[Security-news] Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031

security-news at drupal.org security-news at drupal.org
Wed Jul 26 20:05:01 UTC 2023


View online: https://www.drupal.org/sa-contrib-2023-031

Project: Drupal Symfony Mailer [1]
Date: 2023-July-26
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site request forgery

Affected versions: <1.2.2 || >=1.3.0 <1.3.0-rc3
Description: 
The module doesn’t sufficiently protect against malicious links, which
means an attacker can trick an administrator into performing unwanted
actions.

This vulnerability is mitigated by the fact that the set of unwanted actions
is limited to specific configurations.

Solution: 
   * If you use Drupal Symfony Mailer module v1.2.x, upgrade to v1.2.2 [3].
   * If you use Drupal Symfony Mailer module v1.3.x, upgrade to v1.3.0-rc3 
[4].

Reported By: 
   * Mingsong [5]

Fixed By: 
   * Mingsong  [6]
   * Adam Shepherd [7]
   * Lee Rowlands [8] of the Drupal Security Team


[1] https://www.drupal.org/project/symfony_mailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer/releases/1.2.2
[4] https://www.drupal.org/project/symfony_mailer/releases/1.3.0-rc3
[5] https://www.drupal.org/user/2986445
[6] https://www.drupal.org/user/2986445
[7] https://www.drupal.org/user/2650563
[8] https://www.drupal.org/user/395439



More information about the Security-news mailing list