DRUPAL-CONTRIB-2024-045

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/monster_menus/DRUPAL-CONTRIB-2024-045.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-045

Aliases

CVE-2024-13281

Published

2024-10-09T15:48:10Z

Modified

2025-12-10T23:41:29.206166Z

Summary

[none]

Details

This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.

A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this data to decide whether to grant access to content, it may grant more access than was intended.

This vulnerability is only present in sites that have custom code calling the mm_content_get_uids_in_group() function with a single UID of zero (0) in the second parameter.

References

https://www.drupal.org/sa-contrib-2024-045

Credits

- Dan Wilga
- - https://www.drupal.org/user/56892

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/monster_menus

Package

Name: drupal/monster_menus
Purl: pkg:composer/drupal/monster_menus

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

9.3.2

Database specific

{
    "constraint": "<9.3.2"
}

Database specific

affected_versions

"<9.3.2"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/monster_menus/DRUPAL-CONTRIB-2024-045.json"