it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005
- Date: Wed, 24 Jan 2024 18:39:00 +0000 (UTC)
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6995683E44
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org C6F3383E17
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org CC6AA60BA2
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 1410B60B5A
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-005
Project: Open Social [1]
Date: 2024-January-24
Security risk: *Moderately critical* 13∕25
AC:None/A:User/CI:Some/II:None/E:Proof/TD:Default [2]
Vulnerability: Information Disclosure
Affected versions: <12.0.5
Description:
Open Social is a Drupal distribution for online communities.
The included optional social_group_flexible_group module doesn't sufficiently
validate group updates. The lack of validation makes it possible to have
content inside the group changing it's visibility, which could lead to that
content being shown to a broader audience than intended.
This vulnerability is mitigated by the fact the module
social_group_flexible_group needs to be enabled.
Solution:
Install the latest version of Open Social:
* If you use the Open Social distribution for Drupal 12.x, upgrade to Open
Social 12.0.5 [3]
Reported By:
* Taras Kruts [4]
Fixed By:
* Taras Kruts [5]
* Ronald te Brake [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.0.5
[4] https://www.drupal.org/user/1449610
[5] https://www.drupal.org/user/1449610
[6] https://www.drupal.org/user/2314038
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/36762
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005, security-news, 24.01.2024
Archiv bereitgestellt durch MHonArc 2.6.19+.