MidnightBSD

Advisories for organic_groups_project

CVE-2013-4228 MEDIUM

The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
organic_groups_project organic_groups 7.x-2.1
organic_groups_project organic_groups 7.x-2.2
organic_groups_project organic_groups 7.x-2.0
CVE-2013-7065 MEDIUM

The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allows remote attackers to bypass access restrictions and post to arbitrary groups via a group audience field, as demonstrated by the og_group_ref field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
organic_groups_project organic_groups 7.x-2.1
organic_groups_project organic_groups 7.x-2.2
organic_groups_project organic_groups 7.x-2.0
organic_groups_project organic_groups 7.x-2.x
CVE-2013-7068 MEDIUM

The Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users to bypass group restrictions on nodes with all groups set to optional input via an empty group field.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
organic_groups_project organic_groups 7.x-2.1
organic_groups_project organic_groups 7.x-2.2
organic_groups_project organic_groups 7.x-2.0
organic_groups_project organic_groups 7.x-2.x