[Security-news] Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070
security-news at drupal.org
security-news at drupal.org
Wed Dec 4 17:22:14 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-070
Project: Minify JS [1]
Date: 2024-December-04
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site request forgery
Affected versions: <3.0.3
Description:
The Minify JS module allows a site administrator to minify all javascript
files that exist in the site's code base and use those minified files on the
front end of the website.
Several administrator routes are unprotected against Cross-Site Request
Forgery (CRSF) attacks.
Solution:
Install the latest version:
* If you use the Minify JS module for Drupal 7.x, upgrade to Minify JS
7.x-1.11 [3]
* If you use the Minify JS module for Drupal 8.x, upgrade to Minify JS
3.0.3
[4]
Reported By:
* Pierre Rudloff [5]
Fixed By:
* Ivo Van Geertruyen [6] of the Drupal Security Team
* Scott Joudry [7]
Coordinated By:
* Ivo Van Geertruyen [8] of the Drupal Security Team
[1] https://www.drupal.org/project/minifyjs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/minifyjs/releases/7.x-1.11
[4] https://www.drupal.org/project/minifyjs/releases/3.0.3
[5] https://www.drupal.org/user/3611858
[6] https://www.drupal.org/user/383424
[7] https://www.drupal.org/user/1846786
[8] https://www.drupal.org/user/383424
More information about the Security-news
mailing list