DRUPAL-CONTRIB-2025-110

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/currency/DRUPAL-CONTRIB-2025-110.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-110

Aliases

CVE-2025-10930
GHSA-27fv-rpgj-4c6m

Published

2025-09-24T17:27:41Z

Modified

2025-12-10T23:41:17.883554Z

Summary

[none]

Details

This module allows you to use different currencies on your website and do currency conversion.

The module doesn't sufficiently protect routes used to enable and disable currencies from Cross-Site Request Forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into changing settings.

References

https://www.drupal.org/sa-contrib-2025-110

Credits

- Juraj Nemec (poker10)
- - https://www.drupal.org/u/poker10

Affected packages

Packagist / drupal/currency

Package

Name: drupal/currency
Purl: pkg:composer/drupal/currency

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.5.0

Database specific

{
    "constraint": "<3.5.0"
}

Database specific

affected_versions

"<3.5.0"