Vulnerability from drupal
Published
2022-05-25 16:49
Modified
2023-08-10 21:32
Summary
Details

Open Social is a Drupal distribution for online communities.

Group entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.

This vulnerability is mitigated by the fact that an attacker must be able to view Group entities in an overview and have certain common permissions revoked.

Please note the affected versions were already unsupported, this advisory is released additionally as there are still reported installs for the affected versions.

Credits
Dmitry Kiselev www.drupal.org/user/1945174
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c11.0.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/social"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c11.0.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/1945174"
      ],
      "name": "Dmitry Kiselev"
    }
  ],
  "details": "Open Social is a Drupal distribution for online communities.\n\nGroup entities created within Open Social did not sufficiently check entity access in group overviews, allowing users to see information in the overviews they should not have access to. Visiting the entity directly resulted in correct access checks applied.\n\nThis vulnerability is mitigated by the fact that an attacker must be able to view Group entities in an overview and have certain common permissions revoked.\n\nPlease note the affected versions were already unsupported, this advisory is released additionally as there are still reported installs for the affected versions.",
  "id": "DRUPAL-CONTRIB-2022-043",
  "modified": "2023-08-10T21:32:49.000Z",
  "published": "2022-05-25T16:49:46.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2022-043"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.