Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014

Project:

Open Social

Date:

2025-February-12

Security risk:

Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<12.3.11 || >=12.4.0 <12.4.10

CVE IDs:

CVE-2025-31685

Description:

Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_language to make your platform multilingual.

Some site administration configuration does not correctly check access when trying to translate allowing unauthorised people to translate these parts.

The issue is mitigated by the fact that social_language needs to be enabled with more than 1 language.

Solution:

Install the latest version:

If you use Open Social 12.3.x upgrade to Open Social 12.3.11
If you use Open Social 12.4.x upgrade to Open Social 12.4.10

Reported By:

Robert Ragas (robertragas)
zanvidmar

Fixed By:

Denis Kolmerschlag (uber_denis)
zanvidmar

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team

Contribution record

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2025-014

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community