CSRF on entity.ultimate_cron_job.unlock route

Created on 18 February 2025, 7 months ago

The entity.ultimate_cron_job.unlock route is not protected against CSRF attacks.

As an user that can post content, add this HTML in a page:

<img src="http://example.com/admin/config/system/cron/jobs/ultimate_cron_queue_locale_translation/unlock">

As another user with the "run cron jobs" permission, display this page: the job is unlocked without any confirmation.

Add the _csrf_token: 'TRUE' requirement to this route.

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇫🇷France prudloff Lille

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Merge Requests

Issue created by @prudloff
Assigned to dhruv.mittal
Comment 4 months ago →
dhruv.mittal
Merge request !70Issue #3507396: CSRF on entity.ultimate_cron_job.unlock route. → (Merged) created by dhruv.mittal
Pipeline finished with Success
4 months ago
Total: 200s
#488849
Comment 4 months ago →
dhruv.mittal
Please review
First commit to issue fork.
Pipeline finished with Skipped
about 8 hours ago
#587512
Comment about 8 hours ago →
System Message

berdir → committed 557c8f97 on 8.x-2.x authored by dhruv.mittal →
Issue #3507396 by dhruv.mittal, prudloff: CSRF on entity....
Issue was unassigned.
Status changed to Fixed about 8 hours ago8:21pm 1 September 2025
Comment about 8 hours ago →
🇨🇭Switzerland berdir Switzerland
Works fine, thanks.

Production build 0.71.5 2024