[Security-news] SA-CONTRIB-2014-105 - OG Menu - Access Bypass
security-news at drupal.org
security-news at drupal.org
Wed Oct 29 19:03:30 UTC 2014
View online: https://www.drupal.org/node/2365685
* Advisory ID: DRUPAL-SA-CONTRIB-2014-105
* Project: OG Menu [1] (third-party module)
* Version: 7.x
* Date: 2014-October-29
* Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Access bypass, Information Disclosure
-------- DESCRIPTION
---------------------------------------------------------
OG Menu allows using menus within Organic Groups.
The permissions for accessing the module settings were to broad, possibly
granting access to users who would normally not be able to change the OG Menu
configuration.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "access administration pages".
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* OG Menu 7.x-2.x versions prior to 7.x-2.2.
Drupal core is not affected. If you do not use the contributed OG Menu [4]
module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version of the 7.x-2.x branch:
* If you use the OG Menu module for Drupal 7.x, upgrade to OG Menu 7.x-2.2
[5]
The OG Menu 7.x-3.x branch is not affected.
Also see the OG Menu [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Lucas D Hedding [7]
-------- FIXED BY
------------------------------------------------------------
* Wim Vanheste [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Greg Knaddison [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
[1] https://www.drupal.org/project/og_menu
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/og_menu
[5] https://www.drupal.org/node/2365259
[6] https://www.drupal.org/project/og_menu
[7] https://www.drupal.org/user/1463982
[8] https://www.drupal.org/user/655596
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
More information about the Security-news
mailing list