[Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076
security-news at drupal.org
security-news at drupal.org
Wed Dec 11 17:46:48 UTC 2024
View online: https://www.drupal.org/sa-contrib-2024-076
Project: Open Social [1]
Date: 2024-December-11
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <12.3.10 || >=12.4.0 <12.4.9
Description:
Open Social is a Drupal distribution for online communities, which ships with
a default (optional) module social_file_private to ensure the images and
files provided by the distribution are stored in the private instead of the
public filesystem.
During updates from Open Social versions installed prior to 11.8.0 these
files were not updated correctly and as a result the module didn't allow
access checks to run correctly.
Solution:
Install the latest version and make sure to run the update hooks.
* If you use Open Social 12.3.x upgrade to Open Social 12.3.10 [3]
* If you use Open Social 12.4.x upgrade to Open Social 12.4.9 [4]
Reported By:
* corn696 [5]
Fixed By:
* corn696 [6]
* Robert Ragas [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.3.10
[4] https://www.drupal.org/project/social/releases/12.4.9
[5] https://www.drupal.org/user/3544002
[6] https://www.drupal.org/user/3544002
[7] https://www.drupal.org/user/2723261
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list