View online: https://www.drupal.org/sa-contrib-2022-060
Project: Social Base [1] Date: 2022-November-30 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Affected versions: >=2.3 <2.3.4 || >=2.4 <2.4.3 Description: The Social Base theme is designed as a base theme for Open Social. This base theme holds has a lot of sensible defaults. It doesn't however contain much styling. We expect developers to want to change this for their own project.
When content within the Open Social distribution is placed within a group then the Socialbase theme renders a link to that group on the content view page.
The link to groups was rendered without sufficiently checking that the viewing user has access to the group. When creating public content in a non-public group this could lead to exposing the existence of the group and the group title to unauthorized users. The group itself remained inaccessible.
Solution: Install the latest version:
* If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to Socialbase 2.4.3 [3] * If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to Socialbase 2.3.4 [4]
Reported By: * Alexander Varwijk [5]
Fixed By: * Alexander Varwijk [6] * Ronald te Brake [7] * Navneet Singh [8]
Coordinated By: * Damien McKenna [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/socialbase [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/socialbase/releases/2.4.3 [4] https://www.drupal.org/project/socialbase/releases/2.3.4 [5] https://www.drupal.org/user/1868952 [6] https://www.drupal.org/user/1868952 [7] https://www.drupal.org/user/2314038 [8] https://www.drupal.org/user/3200545 [9] https://www.drupal.org/user/108450 [10] https://www.drupal.org/user/36762