Описание
The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors.
Ссылки
- Mailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
- Release NotesVendor Advisory
- Vendor Advisory
- VDB EntryVendor Advisory
- Mailing ListThird Party Advisory
- Third Party AdvisoryVDB Entry
- Release NotesVendor Advisory
- Vendor Advisory
- VDB EntryVendor Advisory
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:-:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:alpha1:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:alpha2:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:alpha3:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta1:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta2:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta3:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:beta4:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc1:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc2:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc3:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.0:rc4:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.1:*:*:*:*:drupal:*:*
cpe:2.3:a:organic_groups_project:organic_groups:7.x-2.2:*:*:*:*:drupal:*:*
EPSS
Процентиль: 46%
0.00234
Низкий
4.3 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-863
Связанные уязвимости
CVSS3: 4.3
github
почти 4 года назад
The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors.
EPSS
Процентиль: 46%
0.00234
Низкий
4.3 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-863