View online: https://www.drupal.org/sa-contrib-2021-010 Project: Open Social [1] Date: 2021-June-02 Security risk: *Moderately critical* 11∕25 AC:Complex/A:User/CI:All/II:None/E:Theoretical/TD:Default [2] Vulnerability: SQL Injection Description:  This Open Social distribution provides a turn-key system for building customized social networks. The module doesn't sufficiently process data in certain circumstances. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access mentions". Solution:  Install the latest version: * If you use Open Social 9.x, upgrade to 8.x-9.17 [3] * If you use Open Social 10.0.x, upgrade to 10.0.13 [4] * If you use Open Social 10.1.x, upgrade to 10.1.6 [5] Reported By:  * mindaugasd [6] Fixed By:  * mindaugasd [7] * Alexander Varwijk [8] * Drew Webber [9] of the Drupal Security Team * Ronald te Brake [10] * Neil Drumm [11] of the Drupal Security Team Coordinated By:  * Greg Knaddison [12] of the Drupal Security Team [1] https://www.drupal.org/project/social [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/social/releases/8.x-9.17 [4] https://www.drupal.org/project/social/releases/10.0.13 [5] https://www.drupal.org/project/social/releases/10.1.6 [6] https://www.drupal.org/user/330097 [7] https://www.drupal.org/user/330097 [8] https://www.drupal.org/user/1868952 [9] https://www.drupal.org/user/255969 [10] https://www.drupal.org/user/2314038 [11] https://www.drupal.org/user/3064 [12] https://www.drupal.org/user/36762