Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-001

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-001

Project: Open Social
Versions: 8.x-9.x-dev, 8.x-8.x-dev
Date: 2021-January-27
Security risk: Moderately critical 12∕25
Vulnerability: Access bypass

Description

The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter.

The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information in certain scenarios. The information is usually only available for logged-in users of the community.

This vulnerability is mitigated by the fact that social_auth_extra needs to be enabled, one of the single sign-on methods needs to be configured. There is no impact for regular registration without single sign-on.

Removing the single sign-on providers from configuration will allow this vulnerability to be blocked.

Solution

Install the latest version:

If you use Open Social major version 8, upgrade to 8.x-8.10
If you use Open Social major version 9, upgrade to 8.x-9.8

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kind of Open Source applications, AI, bitcoins, but mostly about Drupal. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.