Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076 - Security-news

11 Dec 2024


      View online: https://www.drupal.org/sa-contrib-2024-076
Project: Open Social [1]
Date: 2024-December-11
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <12.3.10 || >=12.4.0  <12.4.9
Description: 
Open Social is a Drupal distribution for online communities, which ships with
a default (optional) module social_file_private to ensure the images and
files provided by the distribution are stored in the private instead of the
public filesystem.
During updates from Open Social versions installed prior to 11.8.0 these
files were not updated correctly and as a result the module didn't allow
access checks to run correctly.
Solution: 
Install the latest version and make sure to run the update hooks.
* If you use Open Social 12.3.x upgrade to Open Social 12.3.10 [3]
   * If you use Open Social 12.4.x upgrade to Open Social 12.4.9 [4]
Reported By: 
   * corn696 [5]
Fixed By: 
   * corn696 [6]
   * Robert Ragas [7]
Coordinated By: 
   * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.3.10
[4] https://www.drupal.org/project/social/releases/12.4.9
[5] https://www.drupal.org/user/3544002
[6] https://www.drupal.org/user/3544002
[7] https://www.drupal.org/user/2723261
[8] https://www.drupal.org/user/36762