Vulnerability from drupal
Published
2022-11-30 15:20
Modified
2023-08-10 18:23
Summary
Details

The Social Base theme is designed as a base theme for Open Social. This base
theme holds has a lot of sensible defaults. It doesn't however contain much
styling. We expect developers to want to change this for their own project.

When content within the Open Social distribution is placed within a group then the Socialbase theme renders a link to that group on the content view page.

The link to groups was rendered without sufficiently checking that the viewing user has access to the group. When creating public content in a non-public group this could lead to exposing the existence of the group and the group title to unauthorized users. The group itself remained inaccessible.

Credits
Alexander Varwijk www.drupal.org/user/1868952
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003e=2.3 \u003c2.3.4 || \u003e=2.4 \u003c2.4.3"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/socialbase"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003e=2.3 \u003c2.3.4"
          },
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "database_specific": {
            "constraint": "\u003e=2.4 \u003c2.4.3"
          },
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/1868952"
      ],
      "name": "Alexander Varwijk"
    }
  ],
  "details": "The Social Base theme is designed as a base theme for Open Social. This base  \ntheme holds has a lot of sensible defaults. It doesn\u0027t however contain much  \nstyling. We expect developers to want to change this for their own project.\n\nWhen content within the Open Social distribution is placed within a group then the Socialbase theme renders a link to that group on the content view page.\n\nThe link to groups was rendered without sufficiently checking that the viewing user has access to the group. When creating public content in a non-public group this could lead to exposing the existence of the group and the group title to unauthorized users. The group itself remained inaccessible.",
  "id": "DRUPAL-CONTRIB-2022-060",
  "modified": "2023-08-10T18:23:08.000Z",
  "published": "2022-11-30T15:20:10.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2022-060"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.