View online: https://www.drupal.org/sa-contrib-2021-019

Project: Opigno group manager [1] Date: 2021-June-23 Security risk: *Less critical* 9∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: UI redressing (clickjacking)

Description:  This project is related to Opigno LMS distribution. It implements the group manager in the Opigno LMS.

The module does not set X-Frame-Options and blocks ability of other modules (e.g Security Kit [3]) to add them, leaving it vulnerable to Clickjacking.

Solution:  Install the latest version:

* If you use the Opigno group manager module for Drupal 8.x, upgrade to a version greater than 8.x-1.7 Opigno group manager 8.x-1.8 or later [4]

The issue was fixed in public but needed a security advisory. Users of the module are encouraged to upgrade to at least 8.x-1.8 or a later version to gain protection against this weakness.

Reported By:  * Bryan Butler [5]

Fixed By:  * James Aparicio [6]

Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team * Damien McKenna [8] of the Drupal Security Team

[1] https://www.drupal.org/project/opigno_group_manager [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/seckit [4] https://www.drupal.org/project/opigno_group_manager/releases/8.x-1.8 [5] https://www.drupal.org/user/3591325 [6] https://www.drupal.org/user/2547544 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/108450