Vulnerability from drupal
Published
2017-12-06 18:44
Modified
2023-08-21 13:26
Summary
Details

The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.

This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.

This vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.

Credits
Jean-Francois Hovinne www.drupal.org/u/jfhovinne
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.5"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/config_update"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.5"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/jfhovinne"
      ],
      "name": "Jean-Francois Hovinne"
    }
  ],
  "details": "The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.\n\nThis module doesn\u0027t sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.\n\nThis vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.",
  "id": "DRUPAL-CONTRIB-2017-091",
  "modified": "2023-08-21T13:26:56.000Z",
  "published": "2017-12-06T18:44:03.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2017-091"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.