it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-030
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-030
- Date: Wed, 9 Apr 2025 17:04:16 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=K2Vh3ymh; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4AA9241E93
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B94B461129
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-030-0
Project: ECA: Event - Condition - Action [1]
Date: 2025-April-09
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site request forgery
Affected versions: <1.1.12 || >=2.0.0 <2.0.16 || >=2.1.0 <2.1.7 || 1.2.*
CVE IDs: CVE-2025-3131
Description:
This module enables you to define automations on your Drupal site.
The module doesn't sufficiently protect certain routes from CSRF attacks.
This vulnerability is mitigated by the fact that an attacker must get a user
with the permission "administer eca" to follow to a given site. It can also
be mitigated by disabling the "eca_ui" submodule, which leaves ECA
functionality intact, but the vulnerable routes will no longer be available.
Solution:
Install the latest version:
* If you use the ECA module for Drupal 10 or 11, upgrade to ECA 1.1.12 [3]
or ECA 2.0.16 [4] or ECA 2.1.7 [5]
Reported By:
* Juraj Nemec (poker10) [6] of the Drupal Security Team
Fixed By:
* Benji Fisher (benjifisher) [7] of the Drupal Security Team
* Jürgen Haas (jurgenhaas) [8]
* Lee Rowlands (larowlan) [9] of the Drupal Security Team
Coordinated By:
* Greg Knaddison (greggles) [10] of the Drupal Security Team
* Juraj Nemec (poker10) [11] of the Drupal Security Team
Security
issue: https://git.drupalcode.org/security/9-eca-security/-/issues/1 [12]
[1] https://www.drupal.org/project/eca
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/eca/releases/1.1.12
[4] https://www.drupal.org/project/eca/releases/2.0.16
[5] https://www.drupal.org/project/eca/releases/2.1.7
[6] https://www.drupal.org/u/poker10
[7] https://www.drupal.org/u/benjifisher
[8] https://www.drupal.org/u/jurgenhaas
[9] https://www.drupal.org/u/larowlan
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/poker10
[12] https://git.drupalcode.org/security/9-eca-security/-/issues/1
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] ECA: Event - Condition - Action - Critical - Cross site request forgery - SA-CONTRIB-2025-030, security-news, 09.04.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.