[Security-news] Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079
security-news at drupal.org
security-news at drupal.org
Wed Jun 25 18:41:35 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-079
Project: Open Social [1]
Date: 2025-June-25
Security risk: *Moderately critical* 13 ∕ 25
AC:None/A:User/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery
Affected versions: <12.3.14 || >=12.4.0 <12.4.13
CVE IDs: CVE-2025-48921
Description:
Open Social is a Drupal distribution for online communities, which ships with
a default module that allows users to enroll in events.
The module doesn't sufficiently protect certain routes from Cross Site
Request Forgery (CSRF) attacks. Users can be tricked into accepting or
rejecting these enrollments.
This issue only affects sites that have event enrollments enabled for an
event.
Solution:
Install the latest version:
* If you use Open Social 12.3.x upgrade to Open Social 12.3.14 [3]
* If you use Open Social 12.4.x upgrade to Open Social 12.4.13 [4]
Reported By:
* Ivo Van Geertruyen (mr.baileys) [5] of the Drupal Security Team
Fixed By:
* Alexander Varwijk (kingdutch) [6]
* Robert Ragas (robertragas) [7]
Coordinated By:
* Greg Knaddison (greggles) [8] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.3.14
[4] https://www.drupal.org/project/social/releases/12.4.13
[5] https://www.drupal.org/u/mrbaileys
[6] https://www.drupal.org/u/kingdutch
[7] https://www.drupal.org/u/robertragas
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list