DRUPAL-CONTRIB-2021-002

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2021-002.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-002

Withdrawn

2026-03-18T18:00:07.485730Z

Published

2021-01-27T17:27:57Z

Modified

2026-03-18T18:00:07.485730Z

Summary

[none]

Details

The Social User Export module enables users within Open Social to create an export of users and download this to a CSV file.

The module doesn't sufficiently check access when building the CSV file, allowing logged-in users without the manage members permission to be able to export all data from a selected user in certain scenarios.

This vulnerability is mitigated by the fact that an attacker must have the authenticated user role and the site must have the configuration set in such a way a logged in user is able to export users.

References

https://www.drupal.org/sa-contrib-2021-002

Credits

- Robert Ragas
- - https://www.drupal.org/user/2723261

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/social

Package

Name: drupal/social
Purl: pkg:composer/drupal/social

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

8.10.0

Database specific

{
    "constraint": "<8.10.0"
}

Type

ECOSYSTEM

Events

Introduced

9.0.0

Fixed

9.8.0

Database specific

{
    "constraint": ">=9.0.0 <9.8.0"
}

Database specific

affected_versions

"<8.10.0 || >=9.0.0 <9.8.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2021-002.json"