[IT-SecNots] [Security-news] Drupal Symfony Mailer Lite - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-014

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-014

Project: Drupal Symfony Mailer Lite [1]
Date: 2024-February-28
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Request Forgery

Affected versions: <1.0.6
Description: 
The module doesn’t sufficiently protect against malicious links, which
means an attacker can trick an administrator into performing unwanted
actions.

This vulnerability is mitigated by the fact that the set of unwanted actions
is limited to specific configurations.

Solution: 
Upgrade to Symfony Mailer Lite 1.0.6 [3] and rebuild Drupal's cache.

Reported By: 
  * Mingsong  [4]

Fixed By: 
  * Lee Rowlands [5] of the Drupal Security Team
  * Wayne Eaker [6]

Coordinated By: 
  * Greg Knaddison [7] of the Drupal Security Team
  * Juraj Nemec [8] of the Drupal Security Team
  * Lee Rowlands [9] of the Drupal Security Team


[1] https://www.drupal.org/project/symfony_mailer_lite
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/symfony_mailer_lite/releases/1.0.6
[4] https://www.drupal.org/user/2986445
[5] https://www.drupal.org/user/395439
[6] https://www.drupal.org/user/326925
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/272316
[9] https://www.drupal.org/user/395439

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news