View online: https://www.drupal.org/sa-contrib-2024-033
Project: Advanced Varnish [1]
Date: 2024-August-28
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <4.0.11
Description:
This module enables you to cache pages for logged in users at the Varnish
level.
The Varnish bin names may be guessable when no hashing noise configuration is
set on the module configuration page, which would ultimately allow any user
to view cached pages that were intended for other roles when guessing such a
bin name.
Solution:
*There are two steps.* Install the latest version and update your
configuration:
1) If you use the Advanced Varnish module for Drupal 4.0.x, upgrade to
Advanced Varnish 4.0.11 [3]
2) Go to the module configuration page and set an appropriate value to the
hashing noise configuration.
Reported By:
* Heine Deelstra [4] of the Drupal Security Team
Fixed By:
* Heine Deelstra [5] of the Drupal Security Team
* Alexander Shumenko [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/adv_varnish
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/adv_varnish/releases/4.0.11
[4] https://www.drupal.org/user/17943
[5] https://www.drupal.org/user/17943
[6] https://www.drupal.org/user/2297432
[7] https://www.drupal.org/user/36762
View online: https://www.drupal.org/sa-contrib-2024-027
Project: Opigno group manager [1]
Date: 2024-August-07
Security risk: *Critical* 16∕25
AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution
Affected versions: <3.1.1
Description:
The Opigno group manager project is related to Opigno LMS distribution. It
allows to build the contents of learning paths, by combining together
modules, courses, and other activities, ordering them, and defining
conditional rules for the transitions from one step to the next one.
An administration form allows execution of arbitrary code.
This issue is mitigated by several factors. First, it requires the attacker
have the permission "update group learning_path". Additionally, it requires
several steps and depends on other data in the system to be in place.
Solution:
Install the latest version:
* If you use the opigno_group_manager module for Drupal 10.x, upgrade to
opigno_group_manager 3.1.1 [3]
Reported By:
* catch [4] of the Drupal Security Team
* Marcin Grabias [5]
Fixed By:
* Yurii Boichenko [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
* Benji Fisher [8] of the Drupal Security Team
[1] https://www.drupal.org/project/opigno_group_manager
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/opigno_group_manager/releases/3.1.1
[4] https://www.drupal.org/user/35733
[5] https://www.drupal.org/user/1599440
[6] https://www.drupal.org/user/624860
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/683300