[IT-SecNots] [Security-news] Search API Solr - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-046

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-046

Project: Search API Solr [1]
Date: 2025-April-23
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery

Affected versions: <4.3.9
CVE IDs: CVE-2025-3907
Description: 
This module provides support for creating searches using the Apache Solr
search engine and the Search API Drupal module.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that a site admin would have to
perform further steps after the attack for it to have any effect.

Solution: 
Install the latest version:

 * If you use the Search API Solr module for Drupal 8+, upgrade to Search API
   Solr 4.3.10. [3]

We also recommend checking your Solr configuration for any unintended
changes.

Reported By: 
 * Pierre Rudloff (prudloff) [4]

Fixed By: 
 * Thomas Seidl (drunken monkey) [5]
 * Markus Kalkbrenner (mkalkbrenner) [6]

Coordinated By: 
 * Greg Knaddison (greggles) [7] of the Drupal Security Team
 * Drew Webber (mcdruid) [8] of the Drupal Security Team
 * Juraj Nemec (poker10) [9] of the Drupal Security Team


[1] https://www.drupal.org/project/search_api_solr
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_api_solr/releases/4.3.10
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/drunken-monkey
[6] https://www.drupal.org/u/mkalkbrenner
[7] https://www.drupal.org/u/greggles
[8] https://www.drupal.org/u/mcdruid
[9] https://www.drupal.org/u/poker10

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news