[Security-news] Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008
security-news at drupal.org
security-news at drupal.org
Wed Mar 1 17:54:33 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-008
Project: Group control for forums [1]
Date: 2023-March-01
Security risk: *Critical* 15∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: >=2.0.0 <2.0.2
Description:
This module enables you to associate Forums as Group 1.x content and use
Group access permissions.
Previous versions of the module incorrectly set node access on creation, and
did not correctly restrict access to lists of forum topics.
Solution:
Install the latest version:
* If you use the Group control for forums module for Drupal 9.x or 10.x,
upgrade to Group control for forums 2.0.2 [3]
Reported By:
* ekes [4]
Fixed By:
* Jürgen Haas [5]
* ekes [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/group_forum
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/group_forum/releases/2.0.2
[4] https://www.drupal.org/user/10083
[5] https://www.drupal.org/user/168924
[6] https://www.drupal.org/user/10083
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list