- Forum Access 1.x-1.x versions prior to 1.x-1.6.
This module changes your forum administration page to allow you to set forums to private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.
The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.
This Security Advisory is being released in coordination with BACKDROP-SA-CONTRIB-2023-005 for the ACL module, on which Forum Access depends.
Install the latest version:
- If you use the Forum Access module upgrade to Forum Access 1.x-1.6
The ACL module (a dependency) should also be updated.
- Drew Webber of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Hans Salvisberg
- Jen Lampton of the Backdrop CMS Security Team
- Tim Erickson, Backdrop module maintainer
- Drew Webber of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Jen Lampton of the Backdrop CMS Security Team