Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002

Project: Open Social
Versions: 8.x-9.x-dev, 8.x-8.x-dev
Date: 2021-January-27
Security risk: Moderately critical 10∕25
Vulnerability: Access bypass

Description

The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file.

The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a selected user in certain scenarios.

This vulnerability is mitigated by the fact that an attacker must have the authenticated user role and the site must have the configuration set in such a way a logged in user is able to export users.

Solution

Install the latest version:

If you use Open Social major version 8, upgrade to 8.x-8.10
If you use Open Social major version 9, upgrade to 8.x-9.8

Nick Onom
Marketing Project Manager

Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

Drupal · Security

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002

Description

Solution

We value your opinion. Please add your feedback.