Project: 
Gutenberg
Date: 
2024-October-09
Security risk: 
Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default
Vulnerability: 
Cross Site Request Forgery
Affected versions: 
<2.13.0 || >=3.0.0 <3.0.5
CVE IDs: 
CVE-2024-13284
Description: 

This module provides a new UI experience for node editing using the Gutenberg Editor library.

The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.

This vulnerability is mitigated by the fact that the tricked user needs to have an active session with the "use gutenberg" permission.

Solution: 

Install the latest version:

  • If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.14
  • If you use the Gutenberg module versions 3.0.x, upgrade to Gutenberg 3.0.5
Reported By: 
Fixed By: 
Coordinated By: