CVE-2024-13304
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the Drupal Minify JS module allows attackers to trick authenticated users into performing unintended actions. This affects Drupal sites using the Minify JS module to optimize JavaScript delivery. Attackers could force users to execute malicious requests while logged into the Drupal administration interface.
💻 Affected Systems
- Drupal Minify JS module
📦 What is this software?
Minify Js by Matthiasmullie
⚠️ Risk & Real-World Impact
Worst Case
An attacker could trick an administrator into changing site configuration, adding malicious users, or modifying content through forged requests executed via the victim's authenticated session.
Likely Case
Attackers could force users to perform unintended actions like changing their own profile settings, submitting forms, or triggering module-specific operations while authenticated.
If Mitigated
With proper CSRF protections and user awareness, the impact is limited as the vulnerability requires user interaction and authentication.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated user into visiting a malicious page while logged into Drupal. No authentication bypass is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.3
Vendor Advisory: https://www.drupal.org/sa-contrib-2024-070
Restart Required: No
Instructions:
1. Update the Minify JS module to version 3.0.3 or later via Drupal's update manager or Composer. 2. Clear Drupal caches after update. 3. Verify the module functions correctly with updated version.
🔧 Temporary Workarounds
Disable Minify JS module
allTemporarily disable the vulnerable module until patching is possible
drush pm:disable minify_js
Implement CSRF token validation
allAdd custom CSRF protection to forms if module modification is possible
🧯 If You Can't Patch
- Restrict administrative access to trusted networks only
- Implement web application firewall rules to detect CSRF patterns
🔍 How to Verify
Check if Vulnerable:
Check the installed version of the Minify JS module in Drupal's Extend page or via drush: drush pm:list | grep minify_jsCheck Version:
drush pm:list --fields=name,version | grep minify_jsVerify Fix Applied:
Confirm the module version is 3.0.3 or higher and test JavaScript minification functionality📡 Detection & Monitoring
Log Indicators:
- Unexpected form submissions from unverified sources
- Administrative actions from unusual IP addresses
Network Indicators:
- HTTP POST requests without proper referrer headers or CSRF tokens to minify JS endpoints
SIEM Query:
web_requests WHERE uri CONTAINS '/minify-js' AND method = 'POST' AND (referrer IS NULL OR referrer NOT CONTAINS trusted_domain)