CVE-2025-10930: Drupal Currency allows Cross Site Request Forgery

The vulnerability is a Cross-Site Request Forgery (CSRF) in the Drupal Currency module's exchange rate update form. The analysis of the security patch, found in commit 2d30f8f031333a230336a20c4a8f87588181319a from the drupal-projects/currency repository, reveals the exact nature of the vulnerability and the functions involved. The patch modifies two key functions in currency.admin.inc:

1. currency_exchange_rates_form: This function is responsible for building the form. The vulnerability existed here because the form was generated without a CSRF token. The patch rectifies this by adding a hidden token field to the form.

2. currency_exchange_rates_form_submit: This function processes the submitted form data. The vulnerability was exploited here because this function did not validate any CSRF token, thus processing any submitted data as long as the user had an active session. The patch introduces a check to validate the CSRF token, and if the token is invalid, it aborts the submission and displays an error message.

During an exploit, an attacker would trick a privileged user into submitting a crafted request to the server. This would trigger the currency_exchange_rates_form_submit function, which, without the patch, would execute the unauthorized action (e.g., modifying currency exchange rates). Therefore, both the form building function and the form submission handler are critical to understanding and identifying this vulnerability in a runtime profile.