[Security-news] Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060
security-news at drupal.org
security-news at drupal.org
Wed Nov 30 18:16:59 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-060
Project: Social Base [1]
Date: 2022-November-30
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: >=2.3 <2.3.4 || >=2.4 <2.4.3
Description:
The Social Base theme is designed as a base theme for Open Social. This base
theme holds has a lot of sensible defaults. It doesn't however contain much
styling. We expect developers to want to change this for their own project.
When content within the Open Social distribution is placed within a group
then the Socialbase theme renders a link to that group on the content view
page.
The link to groups was rendered without sufficiently checking that the
viewing user has access to the group. When creating public content in a
non-public group this could lead to exposing the existence of the group and
the group title to unauthorized users. The group itself remained
inaccessible.
Solution:
Install the latest version:
* If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to
Socialbase 2.4.3 [3]
* If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to
Socialbase 2.3.4 [4]
Reported By:
* Alexander Varwijk [5]
Fixed By:
* Alexander Varwijk [6]
* Ronald te Brake [7]
* Navneet Singh [8]
Coordinated By:
* Damien McKenna [9] of the Drupal Security Team
* Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/socialbase
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/socialbase/releases/2.4.3
[4] https://www.drupal.org/project/socialbase/releases/2.3.4
[5] https://www.drupal.org/user/1868952
[6] https://www.drupal.org/user/1868952
[7] https://www.drupal.org/user/2314038
[8] https://www.drupal.org/user/3200545
[9] https://www.drupal.org/user/108450
[10] https://www.drupal.org/user/36762
More information about the Security-news
mailing list