[IT-SecNots] [Security-news] OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-013

Project: OAuth2 Client [1]
Date: 2025-February-05
Security risk: *Moderately critical* 12 ∕ 25
AC:Complex/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery

Affected versions: <4.1.3
Description: 
This module enables a developer to create dedicated OAuth2 clients for
connecting to external APIs and other OAuth protected resources.

The module does not use Cross Site Request Forgery (CSRF) tokens to protect
routes for enabling a client.

This vulnerability is mitigated by the fact that an attacker must know the
machine name of the client and deceive another user with this permission.

Solution: 
Install the latest version:

  * If you use the Oauth2 Client module for Drupal 10 or 11, upgrade to 
Oauth2
    Client 4.1.3 [3]

Reported By: 
  * Tobias Bähr [4]

Fixed By: 
  * Shawn Duncan [5]
  * Tobias Bähr [6]

Coordinated By: 
  * cilefen [7] of the Drupal Security Team
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/oauth2_client
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/oauth2_client/releases/4.1.3
[4] https://www.drupal.org/user/183956
[5] https://www.drupal.org/user/628748
[6] https://www.drupal.org/user/183956
[7] https://www.drupal.org/u/cilefen
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news