[IT-SecNots] [Security-news] Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-046

Project: Opigno forum [1]
Date: 2019-May-15
Security risk: *Less critical* 9∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
In certain circumstances it is possible that certain forum information is
available to unprivileged users because the access check is done with node
access instead of grants.

This vulnerability is mitigated by the fact that the module itself does not
disclose information but only if there are listings such as views where the
site builder / developer has not taken this into account.

Solution: 
Install the latest version:

  * If you use the opigno_forum module for Drupal 8.x, upgrade to 
opigno_forum
    8.x-1.2 [3]

Also see the Opigno forum [4] project page.

Reported By: 
  * Nathaniel Catchpole  [5] of the Drupal Security Team

Fixed By: 
  * James Aparicio  [6]
  * Nathaniel Catchpole  [7] of the Drupal Security Team

Coordinated By: 
  * Nathaniel Catchpole  [8] of the Drupal Security Team


[1] https://www.drupal.org/project/opigno_forum
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/opigno_forum/releases/8.x-1.2
[4] https://www.drupal.org/project/opigno_forum
[5] https://www.drupal.org/user/35733
[6] https://www.drupal.org/user/2547544
[7] https://www.drupal.org/user/35733
[8] https://www.drupal.org/user/35733

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news