[Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014
security-news at drupal.org
security-news at drupal.org
Wed Feb 12 17:37:42 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-014
Project: Open Social [1]
Date: 2025-February-12
Security risk: *Moderately critical* 12 ∕ 25
AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: <12.3.11 || >=12.4.0 <12.4.10
Description:
Open Social is a Drupal distribution for online communities, which ships with
a default (optional) module social_language to make your platform
multilingual.
Some site administration configuration does not correctly check access when
trying to translate allowing unauthorised people to translate these parts.
The issue is mitigated by the fact that social_language needs to be enabled
with more than 1 language.
Solution:
Install the latest version:
* If you use Open Social 12.3.x upgrade to Open Social 12.3.11 [3]
* If you use Open Social 12.4.x upgrade to Open Social 12.4.10 [4]
Reported By:
* Robert Ragas (robertragas) [5]
* zanvidmar [6]
Fixed By:
* Denis Kolmerschlag (uber_denis) [7]
* zanvidmar [8]
Coordinated By:
* Greg Knaddison (greggles) [9] of the Drupal Security Team
[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/12.3.11
[4] https://www.drupal.org/project/social/releases/12.4.10
[5] https://www.drupal.org/u/robertragas
[6] https://www.drupal.org/u/zanvidmar
[7] https://www.drupal.org/u/uber_denis
[8] https://www.drupal.org/u/zanvidmar
[9] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list