Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062
  • Date: Wed, 30 Nov 2022 18:18:34 +0000 (UTC)
  • Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::136 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 46A2361056
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 2461C612C5
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org DEC7460AF2
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 363C8607FE
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-062

Project: Open Social [1]
Date: 2022-November-30
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: >=11.4.0 <11.4.9 || >=11.5.0 <11.5.1
Description: 
Social Private Message module allows users on the platform to allow users to
send private messages to each other.

The module does not properly perform the correct access checks for certain
operations.

Solution: 
Install the latest version:

* If you use the Open Social distribution for Drupal 9.x, upgrade to Open
Social 11.5.1 [3]
* If you use the Open Social distribution for Drupal 9.x, upgrade to Open
Social 11.4.9 [4]

Reported By: 
* zanvidmar [5]

Fixed By: 
* Navneet Singh [6]
* zanvidmar [7]

Coordinated By: 
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/11.5.1
[4] https://www.drupal.org/project/social/releases/11.4.9
[5] https://www.drupal.org/user/3003243
[6] https://www.drupal.org/user/3200545
[7] https://www.drupal.org/user/3003243
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062, security-news, 30.11.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang