DRUPAL-CONTRIB-2025-031

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/eca/DRUPAL-CONTRIB-2025-031.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-031
Aliases
  • CVE-2025-3131
Published
2025-04-09T17:04:15Z
Modified
2025-12-10T23:41:28.006421Z
Summary
[none]
Details

This module enables you to define automations on your Drupal site.

The module doesn't sufficiently protect certain routes from CSRF attacks.

This vulnerability can be mitigated by disabling the "eca_ui" submodule, which leaves ECA functionality intact, but the vulnerable routes will no longer be available.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/eca

Package

Name
drupal/eca
Purl
pkg:composer/drupal/eca

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.12
Database specific
{
    "constraint": "<1.1.12"
}
Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.16
Database specific
{
    "constraint": ">=2.0.0 <2.0.16"
}
Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.7
Database specific
{
    "constraint": ">=2.1.0 <2.1.7"
}

Database specific

affected_versions
"<1.1.12 || >=2.0.0 <2.0.16 || >=2.1.0 <2.1.7"
patched
true
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/eca/DRUPAL-CONTRIB-2025-031.json"