Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079

Project:

Open Social

Date:

2025-June-25

Security risk:

Moderately critical 13 ∕ 25 AC:None/A:User/CI:None/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross Site Request Forgery

Affected versions:

<12.3.14 || >=12.4.0 <12.4.13

CVE IDs:

CVE-2025-48921

Description:

Open Social is a Drupal distribution for online communities, which ships with a default module that allows users to enroll in events.

The module doesn't sufficiently protect certain routes from Cross Site Request Forgery (CSRF) attacks. Users can be tricked into accepting or rejecting these enrollments.

This issue only affects sites that have event enrollments enabled for an event.

Solution:

Install the latest version:

If you use Open Social 12.3.x upgrade to Open Social 12.3.14
If you use Open Social 12.4.x upgrade to Open Social 12.4.13

Reported By:

Ivo Van Geertruyen (mr.baileys) of the Drupal Security Team

Fixed By:

Alexander Varwijk (kingdutch)
Robert Ragas (robertragas)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team

Contribution record

Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community