Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-May-15
Vulnerability:
Access bypass
Affected versions:
<1.4.0
Description:
In certain configuration cases, when a learning path is configured as semi-private, anonymous users are allowed to join a learning path when they should not.
Solution:
Install the latest version:
- If you use the opigno learning path module for Drupal 8.x, upgrade to opigno_learning_path 8.x-1.4
- If using the opigno lms distribution it is recommended to update the whole distribution to the latest version Opigno lms 8.x-1.5
Also see the Opigno Learning path project page.
Reported By:
- Nathaniel Catchpole of the Drupal Security Team
Fixed By:
- James Aparicio
- Nathaniel Catchpole of the Drupal Security Team
Coordinated By:
- Nathaniel Catchpole of the Drupal Security Team
