[Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062
security-news at drupal.org
security-news at drupal.org
Wed Nov 30 18:18:34 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-062
Project: Open Social [1]
Date: 2022-November-30
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: >=11.4.0 <11.4.9 || >=11.5.0 <11.5.1
Description:
Social Private Message module allows users on the platform to allow users to
send private messages to each other.
The module does not properly perform the correct access checks for certain
operations.
Solution:
Install the latest version:
* If you use the Open Social distribution for Drupal 9.x, upgrade to Open
Social 11.5.1 [3]
* If you use the Open Social distribution for Drupal 9.x, upgrade to Open
Social 11.4.9 [4]
Reported By:
* zanvidmar [5]
Fixed By:
* Navneet Singh [6]
* zanvidmar [7]
Coordinated By:
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/11.5.1
[4] https://www.drupal.org/project/social/releases/11.4.9
[5] https://www.drupal.org/user/3003243
[6] https://www.drupal.org/user/3200545
[7] https://www.drupal.org/user/3003243
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762
More information about the Security-news
mailing list