Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048

Project: GutenbergDate: 2024-October-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: <2.13.0 || >=3.0.0 <3.0.5Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.
The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.
This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the "use gutenberg" permission.Solution: Install the latest version:

  • If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.14
  • If you use the Gutenberg module versions 3.0.x, upgrade to Gutenberg 3.0.5

Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2024-048