Vulnerability from drupal
Published
2023-08-23 14:54
Modified
2023-08-23 18:45
Summary
Details

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Forum Access depends.

Credits
Drew Webber www.drupal.org/user/255969
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.0.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/forum_access"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.0.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/255969"
      ],
      "name": "Drew Webber"
    }
  ],
  "details": "This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.\n\nThe module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.\n\nThis vulnerability is mitigated by the fact that an attacker needs the \"administer forums\" permission.\n\nThis Security Advisory is being released in coordination with [SA-CONTRIB-2023-034](https://www.drupal.org/sa-contrib-2023-034) for the ACL module, on which Forum Access depends.",
  "id": "DRUPAL-CONTRIB-2023-035",
  "modified": "2023-08-23T18:45:59.000Z",
  "published": "2023-08-23T14:54:52.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2023-035"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.