5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
67.9%
Two issues exist within entity references and permissions relating to OG, allowing users potential access bypass.
Organic Groups does not sufficiently check the group audience fields (e.g. og_group_ref) field from being populated with invalid data. The autocomplete reference field only needs a node id to validate.
An attacker could modify a group audience field in order to post within a group they had no access.
Any user with the ability to create content can use this vulnerability.
Organic Groups manages its own group based permissions. This allows users to have escalated privileges sets in specific groups, but not site-wide. Organic Groups makes the assumption that the group field is populated and when this not populated, a user may have permission to create or edit content outside of a group even though they shouldn’t be allowed to do that.
This vulnerability is mitigated because the following must be true in order for it to work:
Drupal core is not affected. If you do not use the contributed Organic groups module, there is nothing you need to do.
Install the latest version:
Also see the Organic groups project page.
drupal.org/contact
drupal.org/node/2140209
drupal.org/project/og
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/2470954
drupal.org/user/45640
drupal.org/user/802140
drupal.org/writing-secure-code
drupal.org/user/1812910
drupal.org/user/329570
drupal.org/user/57511