View online: https://www.drupal.org/sa-contrib-2019-046
Project: Opigno forum [1] Date: 2019-May-15 Security risk: *Less critical* 9∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Access bypass
Description: In certain circumstances it is possible that certain forum information is available to unprivileged users because the access check is done with node access instead of grants.
This vulnerability is mitigated by the fact that the module itself does not disclose information but only if there are listings such as views where the site builder / developer has not taken this into account.
Solution: Install the latest version:
* If you use the opigno_forum module for Drupal 8.x, upgrade to opigno_forum 8.x-1.2 [3]
Also see the Opigno forum [4] project page.
Reported By: * Nathaniel Catchpole [5] of the Drupal Security Team
Fixed By: * James Aparicio [6] * Nathaniel Catchpole [7] of the Drupal Security Team
Coordinated By: * Nathaniel Catchpole [8] of the Drupal Security Team
[1] https://www.drupal.org/project/opigno_forum [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/opigno_forum/releases/8.x-1.2 [4] https://www.drupal.org/project/opigno_forum [5] https://www.drupal.org/user/35733 [6] https://www.drupal.org/user/2547544 [7] https://www.drupal.org/user/35733 [8] https://www.drupal.org/user/35733