Project: 
Open Social
Date: 
2021-January-27
Security risk: 
Moderately critical 12∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Default
Vulnerability: 
Access bypass
Affected versions: 
<8.10.0 || >=9.0.0 <9.8.0
Description: 

The optional Social Auth Extra module enables you to use the single sign-on methods provided by Open Social e.g. Facebook, LinkedIn, Google and Twitter.

The module doesn't implement a proper cache strategy for anonymous users allowing the registration form to be cached with disclosed information in certain scenarios. The information is usually only available for logged-in users of the community.

This vulnerability is mitigated by the fact that social_auth_extra needs to be enabled, one of the single sign-on methods needs to be configured. There is no impact for regular registration without single sign-on.

Removing the single sign-on providers from configuration will allow this vulnerability to be blocked.

Solution: 

Install the latest version:

  • If you use Open Social major version 8, upgrade to 8.x-8.10
  • If you use Open Social major version 9, upgrade to 8.x-9.8
Reported By: 
Fixed By: 
Coordinated By: