Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-May-22
Vulnerability:
Cross Site Request Forgery
Affected versions:
<2.5.0
Description:
This module enables you to handle fields for Custom Menu Links.
The module doesn't sufficiently check requests to one of the module controllers if the user has permission 'administer menu'.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content.
Solution:
Install the latest version:
- If you use the Menu Item Extras module for Drupal 8.x, upgrade to Menu Item Extras 8.x-2.5
Reported By:
Fixed By:
Coordinated By:
- Michael Hess of the Drupal Security Team
