Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048
Project: GutenbergDate: 2024-October-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: <2.13.0 || >=3.0.0 <3.0.5Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.
The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.
This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the "use gutenberg" permission.Solution: Install the latest version:
- If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.14
- If you use the Gutenberg module versions 3.0.x, upgrade to Gutenberg 3.0.5
Reported By:
Fixed By:
- Mingsong
- Lee Rowlands of the Drupal Security Team
- Eirik Morland
- Stephan Zeidler
- Cathy Theys of the Drupal Security Team
- codebymikey
- Marco Fernandes
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team