Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005

Project:

Open Social

Date:

2024-January-24

Security risk:

Moderately critical 13 ∕ 25 AC:None/A:User/CI:Some/II:None/E:Proof/TD:Default

Vulnerability:

Information Disclosure

Affected versions:

<12.0.5

CVE IDs:

CVE-2024-13241

Description:

Open Social is a Drupal distribution for online communities.

The included optional social_group_flexible_group module doesn't sufficiently validate group updates. The lack of validation makes it possible to have content inside the group changing it's visibility, which could lead to that content being shown to a broader audience than intended.

This vulnerability is mitigated by the fact the module social_group_flexible_group needs to be enabled.

Solution:

Install the latest version of Open Social:

If you use the Open Social distribution for Drupal 12.x, upgrade to Open Social 12.0.5

Reported By:

Taras Kruts
SV

Fixed By:

Taras Kruts
Ronald te Brake

Coordinated By:

Damien McKenna of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Contribution record

Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community