Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047
  • Date: Wed, 7 May 2025 17:06:18 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=Y1DTgRyN; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8C9D342120
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 4F86882D12
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-047

Project: Restrict route by IP [1]
Date: 2025-May-07
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Request Forgery

Affected versions: <1.3.0
CVE IDs: CVE-2025-47701
Description: 
The Restrict route by IP module provides an interface to manage route
restriction by IP address.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability is mitigated by the fact that you need to know the route
machine name.

Solution: 
Install the latest version:

* If you use the restrict_route_by_ip module for Drupal 10.x or 11.x,
upgrade to restrict_route_by_ip 1.3.0 [3]

Reported By: 
* Juraj Nemec (poker10) [4] of the Drupal Security Team

Fixed By: 
* lozbes [5]

Coordinated By: 
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Juraj Nemec (poker10) [7] of the Drupal Security Team


[1] https://www.drupal.org/project/restrict_route_by_ip
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/restrict_route_by_ip/releases/1.3.0
[4] https://www.drupal.org/u/poker10
[5] https://www.drupal.org/u/lozbes
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/poker10

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Restrict route by IP - Critical - Cross Site Request Forgery - SA-CONTRIB-2025-047, security-news, 07.05.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang