- Issue created by @prudloff
This module has a CSRF vulnerability in version 8.x-2.0-alpha3.
The cmis.cmis_object_delete route deletes a CMIS object without checking a CSRF token.
An attacker could trick an user with the "access all cmis browsers" permission to load a page containing code like this:
<img src="http://example.com/cmis/object-delete/foo/fd6ec7b8-e514-499b-9928-ba4a240d6bde%3B1.0?type=browser&parent=c4ec4d2b-9fc0-4c3d-b665-7cc7172531fe">
This could delete the CMIS object without the user approval.
The confirmation should probably be built with the ConfirmFormBase class.
Active
Code
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.