[Security-news] Migrate queue importer - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-024
security-news at drupal.org
security-news at drupal.org
Wed May 29 20:16:03 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-024
Project: Migrate queue importer [1]
Date: 2024-May-29
Security risk: *Moderately critical* 10∕25
AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery
Affected versions: <2.1.1
Description:
The Migrate queue importer module enables you to create cron
migrations(configuration entities) with a reference towards migration
entities in order to import them during cron runs.
The module doesn't sufficiently protect against Cross Site Request Forgery
under specific scenarios allowing an attacker to enable/disable a cron
migration.
This vulnerability is mitigated by the fact that an attacker must know the
id of the migration.
Solution:
Install the latest version:
* If you use Migrate queue importer module for Drupal 10, upgrade to
Migrate
queue importer 2.1.1 [3]
Reported By:
* Pierre Rudloff [4]
Fixed By:
* David Bätge [5]
* Pierre Rudloff [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
* Juraj Nemec [8] of the Drupal Security Team
[1] https://www.drupal.org/project/migrate_queue_importer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/migrate_queue_importer/releases/2.1.1
[4] https://www.drupal.org/user/3611858
[5] https://www.drupal.org/user/2526160
[6] https://www.drupal.org/user/3611858
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/272316
More information about the Security-news
mailing list