DRUPAL-CONTRIB-2023-035

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/forum_access/DRUPAL-CONTRIB-2023-035.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-035
Published
2023-08-23T14:54:52Z
Modified
2025-12-10T23:33:52.026304Z
Summary
[none]
Details

This module changes your forum administration page to allow you to set forums private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.

The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.

This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.

This Security Advisory is being released in coordination with SA-CONTRIB-2023-034 for the ACL module, on which Forum Access depends.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/forum_access

Package

Name
drupal/forum_access
Purl
pkg:composer/drupal/forum_access

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.0
Database specific 
{
    "constraint": "<1.0.0"
}

Database specific

affected_versions 
"<1.0.0"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/forum_access/DRUPAL-CONTRIB-2023-035.json"