[Security-news] General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018
security-news at drupal.org
security-news at drupal.org
Wed Feb 26 18:35:01 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-018
Project: General Data Protection Regulation [1]
Date: 2025-February-26
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery
Affected versions: <3.0.1 || >=3.1.0 <3.1.2
Description:
The GDPR Task submodule enables you to create GDPR tasks.
The module doesn't sufficiently protect against Cross Site Request Forgery
(CSRF) attacks by validating user identity and intent when creating tasks.
Solution:
Install the latest version:
* If you use the General Data Protection Regulation module 3.0.x, upgrade to
3.0.1 [3]
* If you use the General Data Protection Regulation module 3.1.x, upgrade to
3.1.2 [4]
Reported By:
* Pierre Rudloff (prudloff) [5]
Fixed By:
* Peter Pónya (pedrop) [6]
* szato [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/gdpr
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/gdpr/releases/3.0.1
[4] https://www.drupal.org/project/gdpr/releases/3.1.2
[5] https://www.drupal.org/u/prudloff
[6] https://www.drupal.org/u/pedrop
[7] https://www.drupal.org/u/szato
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list