Security advisories

Open Social is a Drupal distribution for online communities.

The included optional social_group_flexible_group module doesn't sufficiently validate group updates. The lack of validation makes it possible to have content inside the group changing it's visibility, which could lead to that content being shown to a broader audience than intended.

This vulnerability is mitigated by the fact the module social_group_flexible_group needs to be enabled.

This module enables you to allow and/or require users to use a second authentication method in addition to password authentication.

In some cases, the module allows users to log in with an authentication plugin that an administrator has disabled.

This vulnerability is mitigated by the fact that an attacker must obtain a valid first-factor login credential, that an administrator must enable and then disable an authentication plugin, and that an attacker must obtain the valid second factor credential for the disabled plugin.

The Typogrify module brings the typographic refinements of Typogrify to Drupal. It provides a text filter and a Twig filter.

The typogrify Twig filter can be used to bypass the Twig auto-escape feature, leading to a persistent Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that it is only exposed when the twig filter is specifically used in a template to render content.

This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity.

This module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries.