Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-043

Project: Open Social
Date: 2022-May-25
Security risk: Moderately critical 14∕25
Vulnerability: Access bypass

Description

Open Social is a Drupal distribution for online communities.

Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.

This vulnerability is mitigated by the fact that an attacker must be able to view Group entities in an overview and have certain common permissions revoked.

Please note the affected versions were already unsupported, this advisory is released additionally as there are still reported installs for the affected versions.

Solution

Install the latest versions:

If you use Open Social versions prior to 11.0.0, upgrade to at least Open Social 11.0.0 where this issue is resolved

Preferably use one of the supported versions:

Open Social 11.3.0
Open Social 11.2.3
Open Social 11.1.7

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.