Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2022-November-30
Vulnerability:
Access bypass
Affected versions:
>=2.3 <2.3.4 || >=2.4 <2.4.3
Description:
The Social Base theme is designed as a base theme for Open Social. This base
theme holds has a lot of sensible defaults. It doesn't however contain much
styling. We expect developers to want to change this for their own project.
When content within the Open Social distribution is placed within a group then the Socialbase theme renders a link to that group on the content view page.
The link to groups was rendered without sufficiently checking that the viewing user has access to the group. When creating public content in a non-public group this could lead to exposing the existence of the group and the group title to unauthorized users. The group itself remained inaccessible.
Solution:
Install the latest version:
- If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to Socialbase 2.4.3
- If you use the Socialbase module theme for Drupal 8.x/9.x, upgrade to Socialbase 2.3.4
Reported By:
Fixed By:
Coordinated By:
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
