[SECURITY-L] [Security-news] Open Social - Moderately critical - Access bypass - SA-CONTRIB-2021-002

CSIRT Unicamp security em unicamp.br
Quarta Janeiro 27 15:34:00 -03 2021 

View online: https://www.drupal.org/sa-contrib-2021-002

Project: Open Social [1]
Version: 8.x-9.x-dev8.x-8.x-dev
Date: 2021-January-27
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description:
The Social User Export module enables users within Open Social to create an
export of users and download this to a CSV file.

The module doesn't sufficiently check access when building the CSV file,
allowing logged-in users without the manage members permission to be able to
export all data from a selected user in certain scenarios.

This vulnerability is mitigated by the fact that an attacker must have the
authenticated user role and the site must have the configuration set in such
a way a logged in user is able to export users.

Solution:
Install the latest version:

   * If you use Open Social major version 8, upgrade to  8.x-8.10 [3]
   * If you use Open Social major version 9, upgrade to 8.x-9.8 [4]

Reported By:
   * Robert Ragas [5]

Fixed By:
   * Ronald te Brake [6]
   * Alexander Varwijk [7]
   * Bram ten Hove [8]

Coordinated By:
   * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/social
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/social/releases/8.x-8.10
[4] https://www.drupal.org/project/social/releases/8.x-9.8
[5] https://www.drupal.org/user/2723261
[6] https://www.drupal.org/user/2314038
[7] https://www.drupal.org/user/1868952
[8] https://www.drupal.org/user/1549848
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news em drupal.org

Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20210127/a6a3c70c/attachment.html>

Mais detalhes sobre a lista de discussão SECURITY-L