Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061

Джерело:
Security advisories for contributed projects

Дата публікації:
30/11/2022 17:28

Постійна адреса новини:
http://www.vsinovyny.com/9510590

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061

30/11/2022 17:28 // Security advisories for contributed projects

Project:

Open Social

Date:

2022-November-30

Security risk:

Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

Vulnerability:

Access bypass

Affected versions:

>=11.4.0 <11.4.9 || >=11.5.0 <11.5.1

Description:

Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations.

In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only (secret)" visibility, community groups are visible to anonymous users on the /all-groups page. No other group information is revealed since group access is not affected by this issue.

This vulnerability is mitigated by creating a Flexible Group with visibility "Group members only (secret)".

Solution:

Install the latest version:

If you use the Open Social distribution for Drupal 9.x, upgrade to Open Social 11.5.1
If you use the Open Social distribution for Drupal 9.x, upgrade to Open Social 11.4.9

Reported By:

Tiago Siqueira

Fixed By:

Coordinated By:

cilefen of the Drupal Security Team
Damien McKenna of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

» Читати повністю

«	Наступна новина з архіву Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062	Попередня новина з архіву Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060	»