it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060
- Date: Wed, 30 Nov 2022 18:16:59 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org B6BA3820FE
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 61EBC82086
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7EA2281F6F
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C2F9380A89
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-060
Project: Social Base [1]
Date: 2022-November-30
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: >=2.3 <2.3.4 || >=2.4 <2.4.3
Description:
The Social Base theme is designed as a base theme for Open Social. This base
theme holds has a lot of sensible defaults. It doesn't however contain much
styling. We expect developers to want to change this for their own project.
When content within the Open Social distribution is placed within a group
then the Socialbase theme renders a link to that group on the content view
page.
The link to groups was rendered without sufficiently checking that the
viewing user has access to the group. When creating public content in a
non-public group this could lead to exposing the existence of the group and
the group title to unauthorized users. The group itself remained
inaccessible.
Solution:
Install the latest version:
* If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to
Socialbase 2.4.3 [3]
* If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to
Socialbase 2.3.4 [4]
Reported By:
* Alexander Varwijk [5]
Fixed By:
* Alexander Varwijk [6]
* Ronald te Brake [7]
* Navneet Singh [8]
Coordinated By:
* Damien McKenna [9] of the Drupal Security Team
* Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/socialbase
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/socialbase/releases/2.4.3
[4] https://www.drupal.org/project/socialbase/releases/2.3.4
[5] https://www.drupal.org/user/1868952
[6] https://www.drupal.org/user/1868952
[7] https://www.drupal.org/user/2314038
[8] https://www.drupal.org/user/3200545
[9] https://www.drupal.org/user/108450
[10] https://www.drupal.org/user/36762
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060, security-news, 30.11.2022
Archiv bereitgestellt durch MHonArc 2.6.24.