Open Social - SQL Injection & Authentication Bypass vulnarabilities - SA-CONTRIB-2021-010 & SA-CONTRIB-2021-011

Open Social - SQL Injection & Authentication Bypass vulnarabilities - SA-CONTRIB-2021-010 & SA-CONTRIB-2021-011

Open Social - Moderately critical - SQL Injection - SA-CONTRIB-2021-010

Project: Open Social
Date: 2021-June-02
Security risk: Moderately critical 11∕25 AC:Complex/A:User/CI:All/II:None/E:Theoretical/TD:Default
Vulnerability: SQL Injection

Description

This Open Social distribution provides a turn-key system for building customized social networks.

The module doesn't sufficiently process data in certain circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access mentions".

Solution

Install the latest version:

  • If you use Open Social 9.x, upgrade to 8.x-9.17
  • If you use Open Social 10.0.x, upgrade to 10.0.13
  • If you use Open Social 10.1.x, upgrade to 10.1.6

Open Social - Critical - Authentication Bypass - SA-CONTRIB-2021-011

Project: Open Social
Date: 2021-June-02
Security risk: Critical 15∕25
Vulnerability: Authentication Bypass

Description

Open Social is a Drupal distribution for online communities.

The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.

This vulnerability is mitigated by the fact the module social_magic_login needs to be enabled.

Solution

Install the latest version of Open Social:

Alternatively, disable the module social_magic_login.

Nick Onom's picture
Nick Onom
Marketing Project Manager
Enthusiastic about all kinds of Open Source applications, AI, bitcoins, but mostly Drupal and Backdrop. For last years has been actively developing AltaGrade's new back-end system.

We value your opinion. Please add your feedback.