Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070

Project:

Minify JS

Date:

2024-December-04

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross site request forgery

Affected versions:

<3.0.3

CVE IDs:

CVE-2024-13304

Description:

The Minify JS module allows a site administrator to minify all javascript files that exist in the site's code base and use those minified files on the front end of the website.

Several administrator routes are unprotected against Cross-Site Request Forgery (CRSF) attacks.

Solution:

Install the latest version:

If you use the Minify JS module for Drupal 7.x, upgrade to Minify JS 7.x-1.11
If you use the Minify JS module for Drupal 8.x, upgrade to Minify JS 3.0.3

Reported By:

Pierre Rudloff

Fixed By:

Ivo Van Geertruyen of the Drupal Security Team
Scott Joudry

Coordinated By:

Ivo Van Geertruyen of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community