it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035
- Date: Wed, 23 Aug 2023 18:21:41 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org E67B8418AE
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 3AFE640874
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org D14FB401F3
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org C898D401D6
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-035
Project: Forum Access [1]
Date: 2023-August-23
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution
Affected versions: <1.0.0
Description:
This module changes your forum administration page to allow you to set forums
private. You can control what user roles can view, edit, delete, and post to
each forum. You can also give each forum a list of users who have
administrative access on that forum (AKA moderators). This module requires
the ACL module.
The module processes user input in a way that could be unsafe. This can lead
to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that an attacker needs the
"administer forums" permission.
This Security Advisory is being released in coordination with
SA-CONTRIB-2023-034 [3] for the ACL module, on which Forum Access depends.
Solution:
Install the latest version:
* If you use the Forum Access module for Drupal 7.x, upgrade to Forum Access
7.x-1.6 [4]
* If you use the Forum Access module 8.x-1.0-beta3 or below, upgrade to
Forum Access 8.x-1.0 [5]
The ACL module (a dependency) must also be updated.
Reported By:
* Drew Webber [6] of the Drupal Security Team
Fixed By:
* Drew Webber [7] of the Drupal Security Team
* Hans Salvisberg [8]
* Jen Lampton [9] Provisional Member of the Drupal Security Team
Coordinated By:
* Drew Webber [10] of the Drupal Security Team
* Damien McKenna [11] of the Drupal Security Team
* Greg Knaddison [12] of the Drupal Security Team
* Michael Hess [13] of the Drupal Security Team
[1] https://www.drupal.org/project/forum_access
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-contrib-2023-034
[4] https://www.drupal.org/project/forum_access/releases/7.x-1.6
[5] https://www.drupal.org/project/forum_access/releases/8.x-1.0
[6] https://www.drupal.org/user/255969
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/82964
[9] https://www.drupal.org/user/85586
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/user/108450
[12] https://www.drupal.org/user/36762
[13] https://www.drupal.org/user/102818
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035, security-news, 23.08.2023
Archiv bereitgestellt durch MHonArc 2.6.24.