Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031
  • Date: Wed, 26 Jul 2023 20:05:01 +0000 (UTC)
  • Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4A22141CB5
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 5FDBC429E7
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4A6F66129D
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 9635F61220
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-031

Project: Drupal Symfony Mailer [1]
Date: 2023-July-26
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site request forgery

Affected versions: <1.2.2 || >=1.3.0 <1.3.0-rc3
Description: 
The module doesn’t sufficiently protect against malicious links, which
means an attacker can trick an administrator into performing unwanted
actions.

This vulnerability is mitigated by the fact that the set of unwanted actions
is limited to specific configurations.

Solution: 
* If you use Drupal Symfony Mailer module v1.2.x, upgrade to v1.2.2 [3].
* If you use Drupal Symfony Mailer module v1.3.x, upgrade to v1.3.0-rc3 [4].

Reported By: 
* Mingsong [5]

Fixed By: 
* Mingsong [6]
* Adam Shepherd [7]
* Lee Rowlands [8] of the Drupal Security Team


[1] https://www.drupal.org/project/symfony_mailer
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer/releases/1.2.2
[4] https://www.drupal.org/project/symfony_mailer/releases/1.3.0-rc3
[5] https://www.drupal.org/user/2986445
[6] https://www.drupal.org/user/2986445
[7] https://www.drupal.org/user/2650563
[8] https://www.drupal.org/user/395439

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Drupal Symfony Mailer - Moderately critical - Cross site request forgery - SA-CONTRIB-2023-031, security-news, 26.07.2023

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang