[Security-news] Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046
security-news at drupal.org
security-news at drupal.org
Wed May 15 17:32:45 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-046
Project: Opigno forum [1]
Date: 2019-May-15
Security risk: *Less critical* 9∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
In certain circumstances it is possible that certain forum information is
available to unprivileged users because the access check is done with node
access instead of grants.
This vulnerability is mitigated by the fact that the module itself does not
disclose information but only if there are listings such as views where the
site builder / developer has not taken this into account.
Solution:
Install the latest version:
* If you use the opigno_forum module for Drupal 8.x, upgrade to
opigno_forum
8.x-1.2 [3]
Also see the Opigno forum [4] project page.
Reported By:
* Nathaniel Catchpole [5] of the Drupal Security Team
Fixed By:
* James Aparicio [6]
* Nathaniel Catchpole [7] of the Drupal Security Team
Coordinated By:
* Nathaniel Catchpole [8] of the Drupal Security Team
[1] https://www.drupal.org/project/opigno_forum
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/opigno_forum/releases/8.x-1.2
[4] https://www.drupal.org/project/opigno_forum
[5] https://www.drupal.org/user/35733
[6] https://www.drupal.org/user/2547544
[7] https://www.drupal.org/user/35733
[8] https://www.drupal.org/user/35733
More information about the Security-news
mailing list