DRUPAL-CONTRIB-2017-091

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/config_update/DRUPAL-CONTRIB-2017-091.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2017-091
Published
2017-12-06T18:44:03Z
Modified
2025-12-10T23:31:47.241725Z
Summary
[none]
Details

The Configuration Update Reports sub-module in the Configuration Update module project enables you to run reports to see what configuration on your site differs from the configuration distributed by a module, theme, or installation profile, and to revert, delete, or import configuration.

This module doesn't sufficiently protect the Import operation, thereby exposing a Cross Site Request Forgery (CSRF) vulnerability which can be exploited by unprivileged users to trick an administrator into unwanted import of configuration.

This vulnerability is mitigated by the fact that only configuration items distributed with a module, theme, or installation profile that is currently installed and enabled on the site can be imported, not arbitrary configuration values.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/config_update

Package

Name
drupal/config_update
Purl
pkg:composer/drupal/config_update

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.0
Database specific 
{
    "constraint": "<1.5"
}

Database specific

affected_versions 
"<1.5"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/config_update/DRUPAL-CONTRIB-2017-091.json"