"It has been a pleasure to work with Casey, Rick and Phil from Ricochet. We were initially faced with a dip in productivity on our project due to some team member's contributing to DrupalCon Munich. Casey and team were able to step in, ramp up, and start contributing to solutions immediately. When our team members returned from Munich, we decided the Ricochet guys were too valuable and helpful to let go, so we have kept them on as members of the team until launch.
—Suzy Bates, Four Kitchens

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076

Wed, 2024-12-11 08:53 — Anonymous (not verified)

Project: Open SocialDate: 2024-December-11Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassAffected versions: <12.3.10 || >=12.4.0 <12.4.9Description: Open Social is a Drupal distribution for online communities, which ships with a default (optional) module social_file_private to ensure the images and files provided by the distribution are stored in the private instead of the public filesystem.
For installations of Open Social prior to version 11.8.0, after updating to 11.8.0 or higher, newly uploaded files were no longer stored in the private file system as intended. Instead, they were stored in the public file system.Solution: Install the latest version and make sure to run the update hooks.

If you use Open Social 12.3.x upgrade to Open Social 12.3.10
If you use Open Social 12.4.x upgrade to Open Social 12.4.9

Reported By:

corn696

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2024-076

Search form

Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076