Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008
  • Date: Wed, 1 Mar 2023 17:54:33 +0000 (UTC)
  • Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 0887D80C28
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8BB15822A9
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org D37D8416C4
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org E32C1416AC
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-008

Project: Group control for forums [1]
Date: 2023-March-01
Security risk: *Critical* 15∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: >=2.0.0 <2.0.2
Description: 
This module enables you to associate Forums as Group 1.x content and use
Group access permissions.

Previous versions of the module incorrectly set node access on creation, and
did not correctly restrict access to lists of forum topics.

Solution: 
Install the latest version:

* If you use the Group control for forums module for Drupal 9.x or 10.x,
upgrade to Group control for forums 2.0.2 [3]

Reported By: 
* ekes [4]

Fixed By: 
* Jürgen Haas [5]
* ekes [6]

Coordinated By: 
* Damien McKenna [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/group_forum
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/group_forum/releases/2.0.2
[4] https://www.drupal.org/user/10083
[5] https://www.drupal.org/user/168924
[6] https://www.drupal.org/user/10083
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008, security-news, 01.03.2023

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang