it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012
- Date: Wed, 25 Feb 2026 18:44:39 +0000 (UTC)
- Archived-at: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/message/DXWVC4I6XM72RV6AYQJYZ5KZTO4CJF7M/>
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=EqzUaq3D; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=default header.b=IlRM9EMu; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org EB6564277E
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 6A15141678
- List-archive: <https://lists.drupal.org/mailman3/hyperkitty/list/security-news AT drupal.org/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2026-012
Project: Theme Negotiation by Rules [1]
Date: 2026-February-25
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross-site request forgery
Affected versions: <1.2.1
CVE IDs: CVE-2026-3211
Description:
This module allows site builders to create so-called "theme_rule" config
entities. These theme rules can render pages with different themes than the
default when certain conditions match.
The module uses simple GET request to disable or enable theme rules, which
allows attackers to disable or enable theme rules by tricking site
administrators to click on links.
This vulnerability is mitigated by the fact that an attacker must know the
machine name of the theme rule.
Solution:
Install the latest version:
* If you use the Theme Negotiation by Rules module, upgrade to Theme
Negotiation by Rules 1.2.1 [3].
Reported By:
* Juraj Nemec (poker10) [4] of the Drupal Security Team
Fixed By:
* Zoltan Attila Horvath (huzooka) [5]
* Juraj Nemec (poker10) [6] of the Drupal Security Team
Coordinated By:
* Damien McKenna (damienmckenna) [7] of the Drupal Security Team
* Greg Knaddison (greggles) [8] of the Drupal Security Team
* Juraj Nemec (poker10) [9] of the Drupal Security Team
* Jess (xjm) [10] of the Drupal Security Team
------------------------------------------------------------------------------
Contribution record [11]
[1] https://www.drupal.org/project/theme_rule
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/node/3575478
[4] https://www.drupal.org/u/poker10
[5] https://www.drupal.org/u/huzooka
[6] https://www.drupal.org/u/poker10
[7] https://www.drupal.org/u/damienmckenna
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/xjm
[11] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3575761
_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at
- [IT-SecNots] [Security-news] Theme Negotiation by Rules - Moderately critical - Cross-site request forgery - SA-CONTRIB-2026-012, security-news, 25.02.2026
Archiv bereitgestellt durch MHonArc 2.6.19+.