CVE-2024-13250

CVE-2024-13250 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the Drupal Symfony Mailer Lite module. This issue affects all versions of the module from 0.0.0 up to but not including 1.0.6. The vulnerability enables CSRF attacks against Drupal sites using this contrib module for Symfony Mailer integration.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity. Attackers require no privileges and can exploit it over the network with low complexity, but it demands user interaction, such as a victim clicking a malicious link or loading a crafted page. Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially enabling attackers to perform unauthorized actions on behalf of authenticated users.

The official Drupal security advisory SA-CONTRIB-2024-014, available at https://www.drupal.org/sa-contrib-2024-014, details the issue and recommends updating to Drupal Symfony Mailer Lite version 1.0.6 or later, which resolves the CSRF protection flaw. Site administrators should apply the patch promptly and review access to affected functionality.