The Events, Conditions, Actions (ECA) module's Render submodule enables you to build render arrays and render inline Twig templates as part of no-code ECA models.
The module doesn't sufficiently sanitize template code when rendering, which can lead to information disclosure.
This vulnerability is mitigated by the fact that a site must be running an ECA model that uses the "Render: Twig" action on a data flow.
Install the latest version:
- If you use the ECA 3.1 for Drupal 10.x or 11.x, upgrade to ECA 3.1.4
- If you use the ECA 3.0 for Drupal 10.x or 11.x, upgrade to ECA 3.0.12
- If you use the ECA 1.2 for Drupal 10.x or 11.x, upgrade to ECA 2.1.20
- Neil Drumm (drumm) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Dave Long (longwave) of the Drupal Security Team