Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004

Project:

Open Social

Date:

2024-January-24

Security risk:

Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<12.05

CVE IDs:

CVE-2024-13240

Description:

Content within Open Social can have different visibilities. It is possible for a user to create public content even when this should not be allowed.
This vulnerability is mitigated by the fact that the site must have public visibility disabled on a global level.

Solution:

Install the latest version of Open Social:

If you use the Open Social distribution for Drupal 12.x, upgrade to Open Social 12.0.5

Reported By:

Corn696

Fixed By:

Coordinated By:

Damien McKenna of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Contribution record

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

Contributing organizations for this advisory

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community