Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062 - Security-news

30 Nov 2022


      View online: https://www.drupal.org/sa-contrib-2022-062
Project: Open Social [1]
Date: 2022-November-30
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: >=11.4.0 <11.4.9 || >=11.5.0 <11.5.1
Description: 
Social Private Message module allows users on the platform to allow users to
send private messages to each other.
The module does not properly perform the correct access checks for certain
operations.
Solution: 
Install the latest version:
* If you use the Open Social distribution for Drupal 9.x, upgrade to Open
     Social 11.5.1 [3]
   * If you use the Open Social distribution for Drupal 9.x, upgrade to Open
     Social 11.4.9 [4]
Reported By: 
   * zanvidmar [5]
Fixed By: 
   * Navneet Singh [6]
   * zanvidmar [7]
Coordinated By: 
   * Damien McKenna [8] of the Drupal Security Team
   * Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/11.5.1
[4] https://www.drupal.org/project/social/releases/11.4.9
[5] https://www.drupal.org/user/3003243
[6] https://www.drupal.org/user/3200545
[7] https://www.drupal.org/user/3003243
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762