View online: https://www.drupal.org/sa-contrib-2019-047
Project: Opigno Learning path [1] Date: 2019-May-15 Security risk: *Moderately critical* 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Description: In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not.
Solution: Install the latest version:
* If you use the opigno learning path module for Drupal 8.x, upgrade to opigno_learning_path 8.x-1.4 [3] * If using the opigno lms distribution it is recommended to update the whole distribution to the latest version Opigno lms 8.x-1.5 [4]
Also see the Opigno Learning path [5] project page.
Reported By: * Nathaniel Catchpole [6] of the Drupal Security Team
Fixed By: * James Aparicio [7] * Nathaniel Catchpole [8] of the Drupal Security Team
Coordinated By: * Nathaniel Catchpole [9] of the Drupal Security Team
[1] https://www.drupal.org/project/opigno_learning_path [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/opigno_learning_path/releases/8.x-1.4 [4] https://www.drupal.org/project/opigno_lms/releases/8.x-1.5 [5] https://www.drupal.org/project/opigno_learning_path [6] https://www.drupal.org/user/35733 [7] https://www.drupal.org/user/2547544 [8] https://www.drupal.org/user/35733 [9] https://www.drupal.org/user/35733