Forum Access - Critical - Arbitrary PHP code execution - SA-CONTRIB-2023-035 - Security-news

23 Aug 2023


      View online: https://www.drupal.org/sa-contrib-2023-035
Project: Forum Access [1]
Date: 2023-August-23
Security risk: *Critical* 17∕25
AC:Basic/A:Admin/CI:All/II:All/E:Theoretical/TD:All [2]
Vulnerability: Arbitrary PHP code execution
Affected versions: <1.0.0
Description: 
This module changes your forum administration page to allow you to set forums
private. You can control what user roles can view, edit, delete, and post to
each forum. You can also give each forum a list of users who have
administrative access on that forum (AKA moderators). This module requires
the ACL module.
The module processes user input in a way that could be unsafe. This can lead
to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that an attacker needs the
"administer forums" permission.
This Security Advisory is being released in coordination with
SA-CONTRIB-2023-034 [3] for the ACL module, on which Forum Access depends.
Solution: 
Install the latest version:
* If you use the Forum Access module for Drupal 7.x, upgrade to Forum 
Access
     7.x-1.6 [4]
   * If you use the Forum Access module 8.x-1.0-beta3 or below, upgrade to
     Forum Access 8.x-1.0 [5]
The ACL module (a dependency) must also be updated.
Reported By: 
   * Drew Webber [6] of the Drupal Security Team
Fixed By: 
   * Drew Webber [7] of the Drupal Security Team
   * Hans Salvisberg [8]
   * Jen Lampton [9] Provisional Member of the Drupal Security Team
Coordinated By: 
   * Drew Webber [10] of the Drupal Security Team
   * Damien McKenna [11] of the Drupal Security Team
   * Greg Knaddison [12] of the Drupal Security Team
   * Michael Hess [13] of the Drupal Security Team
[1] https://www.drupal.org/project/forum_access
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/sa-contrib-2023-034
[4] https://www.drupal.org/project/forum_access/releases/7.x-1.6
[5] https://www.drupal.org/project/forum_access/releases/8.x-1.0
[6] https://www.drupal.org/user/255969
[7] https://www.drupal.org/user/255969
[8] https://www.drupal.org/user/82964
[9] https://www.drupal.org/user/85586
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/user/108450
[12] https://www.drupal.org/user/36762
[13] https://www.drupal.org/user/102818