Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014 - Security-news

12 Feb 2025


      View online: https://www.drupal.org/sa-contrib-2025-014
Project: Open Social [1]
Date: 2025-February-12
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <12.3.11 || >=12.4.0 <12.4.10
Description: 
Open Social is a Drupal distribution for online communities, which ships with
a default (optional) module social_language to make your platform
multilingual.
Some site administration configuration does not correctly check access when
trying to translate allowing unauthorised people to translate these parts.
The issue is mitigated by the fact that social_language needs to be enabled
with more than 1 language.
Solution: 
Install the latest version:
* If you use Open Social 12.3.x upgrade to Open Social 12.3.11 [3]
  * If you use Open Social 12.4.x upgrade to Open Social 12.4.10 [4]
Reported By: 
  * Robert Ragas (robertragas) [5]
  * zanvidmar [6]
Fixed By: 
  * Denis Kolmerschlag (uber_denis) [7]
  * zanvidmar [8]
Coordinated By: 
  * Greg Knaddison (greggles) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.3.11
[4] https://www.drupal.org/project/social/releases/12.4.10
[5] https://www.drupal.org/u/robertragas
[6] https://www.drupal.org/u/zanvidmar
[7] https://www.drupal.org/u/uber_denis
[8] https://www.drupal.org/u/zanvidmar
[9] https://www.drupal.org/u/greggles