[Security-news] Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-048

Project: Gutenberg [1]
Date: 2024-October-09
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Request Forgery

Affected versions: <2.13.0 || >=3.0.0 <3.0.5
Description: 
This module provides a new UI experience for node editing using the Gutenberg
Editor library.

The module did not sufficiently protect some routes against a Cross Site
Request Forgery attack.

This vulnerability is mitigated by the fact that the tricked user needs to
have an active session with the "use gutenberg" permission.

Solution: 
Install the latest version:

   * If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg
     8.x-2.13 [3]
   * If you use the Gutenberg module versions 3.0.x, upgrade to Gutenberg 
3.0.5
     [4]

Reported By: 
   * Mingsong  [5]

Fixed By: 
   * Mingsong  [6]
   * Lee Rowlands [7] of the Drupal Security Team
   * Eirik Morland [8]
   * Stephan Zeidler [9]
   * Cathy Theys [10] of the Drupal Security Team
   * codebymikey [11]
   * Marco Fernandes [12]

Coordinated By: 
   * Greg Knaddison [13] of the Drupal Security Team
   * Juraj Nemec [14] of the Drupal Security Team


[1] https://www.drupal.org/project/gutenberg
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/gutenberg/releases/8.x-2.13
[4] https://www.drupal.org/project/gutenberg/releases/3.0.5
[5] https://www.drupal.org/user/2986445
[6] https://www.drupal.org/user/2986445
[7] https://www.drupal.org/user/395439
[8] https://www.drupal.org/user/1014468
[9] https://www.drupal.org/user/767652
[10] https://www.drupal.org/user/258568
[11] https://www.drupal.org/user/3573206
[12] https://www.drupal.org/user/2127558
[13] https://www.drupal.org/u/greggles
[14] https://www.drupal.org/u/poker10