Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-December-10
Security risk:
Vulnerability:
Cross-Site Request Forgery
Affected versions:
<3.6.4 || >=3.7.0 <3.7.3
CVE IDs:
CVE-2025-14472
Description:
This module provides a centralized content distribution and syndication solution so thta customers can publish, reuse, and syndicate content across a network of Drupal websites.
The module doesn't sufficiently protect export routes from cross-site request forgery (CSRF) attacks, potentially allowing an attacker to trick an admin into exporting an unwanted entity.
Solution:
Install the latest version:
- If you use Acquia Content Hub 3.6.x, upgrade to Acquia Content Hub 3.6.4.
- If you use Acquia Content Hub 3.7.x, upgrade to Acquia Content Hub 3.7.3.
- The latest version, Acquia Content Hub 3.8.0, is also now available with both the security fix and other improvements.
Reported By:
- Lee Rowlands (larowlan) of the Drupal Security Team
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
