DRUPAL-CONTRIB-2022-061

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2022-061.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2022-061

Withdrawn

2026-03-18T18:00:07.245760Z

Published

2022-11-30T15:28:44Z

Modified

2026-03-18T18:00:07.245760Z

Summary

[none]

Details

Social Flexible Group is an Open Social extension that allows users to create groups with many different configurations.

In specific uncommon scenarios, where a platform doesn't have any flexible groups with the "Group members only (secret)" visibility, community groups are visible to anonymous users on the /all-groups page. No other group information is revealed since group access is not affected by this issue.

This vulnerability is mitigated by creating a Flexible Group with visibility "Group members only (secret)".

References

https://www.drupal.org/sa-contrib-2022-061

Credits

- Tiago Siqueira
- - https://www.drupal.org/user/2822445

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/social

Package

Name: drupal/social
Purl: pkg:composer/drupal/social

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

11.4.9

Database specific

{
    "constraint": "<11.4.9"
}

Type

ECOSYSTEM

Events

Introduced

11.5.0

Fixed

11.5.1

Database specific

{
    "constraint": ">=11.5.0 <11.5.1"
}

Database specific

affected_versions

"<11.4.9 || >=11.5.0 <11.5.1"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/social/DRUPAL-CONTRIB-2022-061.json"