- Forum Access 1.x-1.x versions prior to 1.x-1.6.
This module changes your forum administration page to allow you to set forums to private. You can control what user roles can view, edit, delete, and post to each forum. You can also give each forum a list of users who have administrative access on that forum (AKA moderators). This module requires the ACL module.
The module processes user input in a way that could be unsafe. This can lead to Remote Code Execution via Object Injection.
This vulnerability is mitigated by the fact that an attacker needs the "administer forums" permission.
This Security Advisory is being released in coordination with BACKDROP-SA-CONTRIB-2023-005 for the ACL module, on which Forum Access depends.
Install the latest version:
- If you use the Forum Access module upgrade to Forum Access 1.x-1.6
The ACL module (a dependency) should also be updated.
- Drew Webber of the Drupal Security Team