[Security-news] ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-030
security-news at drupal.org
security-news at drupal.org
Wed Apr 9 17:04:16 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-030-0
Project: ECA: Event - Condition - Action [1]
Date: 2025-April-09
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site request forgery
Affected versions: <1.1.12 || >=2.0.0 <2.0.16 || >=2.1.0 <2.1.7 || 1.2.*
CVE IDs: CVE-2025-3131
Description:
This module enables you to define automations on your Drupal site.
The module doesn't sufficiently protect certain routes from CSRF attacks.
This vulnerability is mitigated by the fact that an attacker must get a user
with the permission "administer eca" to follow to a given site. It can also
be mitigated by disabling the "eca_ui" submodule, which leaves ECA
functionality intact, but the vulnerable routes will no longer be available.
Solution:
Install the latest version:
* If you use the ECA module for Drupal 10 or 11, upgrade to ECA 1.1.12 [3]
or ECA 2.0.16 [4] or ECA 2.1.7 [5]
Reported By:
* Juraj Nemec (poker10) [6] of the Drupal Security Team
Fixed By:
* Benji Fisher (benjifisher) [7] of the Drupal Security Team
* Jürgen Haas (jurgenhaas) [8]
* Lee Rowlands (larowlan) [9] of the Drupal Security Team
Coordinated By:
* Greg Knaddison (greggles) [10] of the Drupal Security Team
* Juraj Nemec (poker10) [11] of the Drupal Security Team
Security
issue: https://git.drupalcode.org/security/9-eca-security/-/issues/1 [12]
[1] https://www.drupal.org/project/eca
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/eca/releases/1.1.12
[4] https://www.drupal.org/project/eca/releases/2.0.16
[5] https://www.drupal.org/project/eca/releases/2.1.7
[6] https://www.drupal.org/u/poker10
[7] https://www.drupal.org/u/benjifisher
[8] https://www.drupal.org/u/jurgenhaas
[9] https://www.drupal.org/u/larowlan
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/poker10
[12] https://git.drupalcode.org/security/9-eca-security/-/issues/1
More information about the Security-news
mailing list