[Security-news] Group - Moderately critical - Information disclosure - SA-CONTRIB-2020-032
security-news at drupal.org
security-news at drupal.org
Wed Aug 5 19:51:22 UTC 2020
View online: https://www.drupal.org/sa-contrib-2020-032
Project: Group [1]
Version: 8.x-1.x-dev
Date: 2020-August-05
Security risk: *Moderately critical* 12∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Information disclosure
Description:
The Group module enables you to hand out permissions on a smaller subset,
section or community of your website.
With the 1.1 security release, new code was introduced to ensure proper
access for all entity types, but a mistake introduced unexpected access to
unpublished nodes.
Solution:
Install the latest version:
* If you are using 8.x-1.0 [3] or later, you should upgrade to 8.x-1.2 [4].
* If you are using 8.x-1.0-rc5 [5], that version is not affected by this
issue. You can also consider upgrading to 8.x-1.2 [6].
Reported By:
* Sean Blommaert [7]
* Martijn Vermeulen [8]
Fixed By:
* Kristiaan Van den Eynde [9]
[1] https://www.drupal.org/project/group
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/group/releases/8.x-1.0
[4] https://www.drupal.org/project/group/releases/8.x-1.2
[5] https://www.drupal.org/project/group/releases/8.x-1.0-rc5
[6] https://www.drupal.org/project/group/releases/8.x-1.2
[7] https://www.drupal.org/user/545912
[8] https://www.drupal.org/user/960720
[9] https://www.drupal.org/user/1345130
More information about the Security-news
mailing list