[IT-SecNots] [Security-news] The Better Mega Menu - Critical - Cross Site Request Forgery - SA-CONTRIB-2021-040

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-040

Project: The Better Mega Menu [1]
Date: 2021-September-22
Security risk: *Critical* 15∕25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery

Description: 
This module provides an admin interface for creating drop down menus that
combine Drupal menu items with rich media content.

The module does not use CSRF tokens to protect routes for saving menu
configurations.

This vulnerability can be exploited by an anonymous user.

Solution: 
Install the latest version:

  * If you use the TB Mega Menu module for Drupal 8.x, upgrade to TB MegaMenu
    8.x-1.4 [3]

Reported By: 
  * Patrick Fey [4]

Fixed By: 
  * Patrick Fey [5]
  * knaffles [6]

Coordinated By: 
  * Damien McKenna [7] of the Drupal Security Team


[1] https://www.drupal.org/project/tb_megamenu
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tb_megamenu/releases/8.x-1.4
[4] https://www.drupal.org/user/998680
[5] https://www.drupal.org/user/998680
[6] https://www.drupal.org/user/1140512
[7] https://www.drupal.org/u/damienmckenna

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news