Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2017-December-06
Vulnerability:
Cross Site Request Forgery (CSRF)
Affected versions:
<1.5
Description:
The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.
This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.
This vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.
Solution:
Install the latest version:
- If you use the Configuration Update Manager module and its Reports sub-module for Drupal 8.x, upgrade to Configuration Update Manager version 8.x-1.5
Alternatively, you could remove the permission "import configuration" from all roles on the site, or uninstall the Configuration Update Reports sub-module from your production sites.
Also see the Configuration Update Manager project page.
Reported By:
Fixed By:
- Jennifer Hodgdon the module maintainer
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Lee Rowlands of the Drupal Security Team
