Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014
  • Date: Wed, 12 Feb 2025 17:37:42 +0000 (UTC)
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=Df1Y5IE8; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.133 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8D8FA41368
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 3610A84007
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-014

Project: Open Social [1]
Date: 2025-February-12
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Affected versions: <12.3.11 || >=12.4.0 <12.4.10
Description: 
Open Social is a Drupal distribution for online communities, which ships with
a default (optional) module social_language to make your platform
multilingual.

Some site administration configuration does not correctly check access when
trying to translate allowing unauthorised people to translate these parts.

The issue is mitigated by the fact that social_language needs to be enabled
with more than 1 language.

Solution: 
Install the latest version:

* If you use Open Social 12.3.x upgrade to Open Social 12.3.11 [3]
* If you use Open Social 12.4.x upgrade to Open Social 12.4.10 [4]

Reported By: 
* Robert Ragas (robertragas) [5]
* zanvidmar [6]

Fixed By: 
* Denis Kolmerschlag (uber_denis) [7]
* zanvidmar [8]

Coordinated By: 
* Greg Knaddison (greggles) [9] of the Drupal Security Team


[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.3.11
[4] https://www.drupal.org/project/social/releases/12.4.10
[5] https://www.drupal.org/u/robertragas
[6] https://www.drupal.org/u/zanvidmar
[7] https://www.drupal.org/u/uber_denis
[8] https://www.drupal.org/u/zanvidmar
[9] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014, security-news, 12.02.2025

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang