Potential CSRF vulnerability on some of the paths

Created on 21 January 2025, 3 months ago

Problem/Motivation

The following paths require either the "administer monitoring"- or "monitoring force run"-permissions, but do not have a CSRF-token or form, so a malicious user can trick a user with one of those permissions into visiting one of the url's and performing a rebuild or force run.

* /monitoring/sensors/force
* /admin/config/system/monitoring/sensors/rebuild
* /monitoring/sensors/force/{monitoring_sensor_config}

Background information

(This was discussed privately with the Drupal security team and it was decided it could be handled publicly.)

🐛 Bug report
Status

Active

Version

1.0

Component

Code

Created by

🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024