Currency - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-110

Vulnerability

Overview

The Drupal Currency module, which provides multi-currency support and currency conversion, contains a Cross-Site Request Forgery (CSRF) vulnerability. The module fails to sufficiently protect the routes used to enable and disable currencies, leaving them open to CSRF attacks [1][2].

Exploitation

Exploitation

An attacker can exploit this flaw by crafting a malicious link or page that, when visited by an authenticated administrator, triggers an unintended request to the vulnerable routes. The attack requires no special network position beyond the ability to deliver the crafted request to the admin user. The admin does not need to be logged into the attacker's site; the CSRF attack leverages the admin's existing session with the Drupal site [2].

Impact

Successful exploitation allows an attacker to trick an administrator into changing currency settings, such as enabling or disabling currencies. This could disrupt the site's e-commerce or financial display functionality, potentially leading to incorrect pricing or user confusion. The impact is limited to configuration changes and does not directly lead to data exfiltration or privilege escalation [2].

Mitigation

The vulnerability affects all versions of the Currency module from 0.0.0 before 3.5.0. Users are advised to upgrade to Currency 8.x-3.5, which contains the necessary CSRF protections. No workarounds are mentioned in the advisory [2].