[IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2024-076

Project: Open Social [1]
Date: 2024-December-11
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <12.3.10 || >=12.4.0  <12.4.9
Description: 
Open Social is a Drupal distribution for online communities, which ships with
a default (optional) module social_file_private to ensure the images and
files provided by the distribution are stored in the private instead of the
public filesystem.

During updates from Open Social versions installed prior to 11.8.0 these
files were not updated correctly and as a result the module didn't allow
access checks to run correctly.

Solution: 
Install the latest version and make sure to run the update hooks.

  * If you use Open Social 12.3.x upgrade to Open Social 12.3.10 [3]
  * If you use Open Social 12.4.x upgrade to Open Social 12.4.9 [4]

Reported By: 
  * corn696 [5]

Fixed By: 
  * corn696 [6]
  * Robert Ragas [7]

Coordinated By: 
  * Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.3.10
[4] https://www.drupal.org/project/social/releases/12.4.9
[5] https://www.drupal.org/user/3544002
[6] https://www.drupal.org/user/3544002
[7] https://www.drupal.org/user/2723261
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news