General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018

Wed, 2025-02-26 10:34 — Anonymous (not verified)

Project: General Data Protection RegulationDate: 2025-February-26Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryAffected versions: <3.0.1 || >=3.1.0 <3.1.2Description: The GDPR Task submodule enables you to create GDPR tasks.
The module doesn't sufficiently protect against Cross Site Request Forgery (CSRF) attacks by validating user identity and intent when creating tasks.Solution: Install the latest version:

If you use the General Data Protection Regulation module 3.0.x, upgrade to 3.0.1
If you use the General Data Protection Regulation module 3.1.x, upgrade to 3.1.2

Reported By:

Pierre Rudloff (prudloff)

Fixed By:

Peter Pónya (pedrop)
szato

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2025-018

Search form

General Data Protection Regulation - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-018