-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1744
                        Drupal Contributed Projects
                                16 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Drupal Opigno
                   Drupal Opigno Learning path
                   Drupal Multiple Registration
Publisher:         Drupal
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Unauthorised Access      -- Remote/Unauthenticated
                   Access Confidential Data -- Existing Account      
Resolution:        Patch/Upgrade

Original Bulletin: 
   https://www.drupal.org/sa-contrib-2019-046
   https://www.drupal.org/sa-contrib-2019-047
   https://www.drupal.org/sa-contrib-2019-048

Comment: This bulletin contains three (3) Drupal security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Opigno forum - Less critical - Access bypass - SA-CONTRIB-2019-046

Project: 
Opigno forum
Date: 
2019-May-15
Security risk: 
Less critical 9/25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon
Vulnerability: 
Access bypass
Description: 

In certain circumstances it is possible that certain forum information is
available to unprivileged users because the access check is done with node
access instead of grants.

This vulnerability is mitigated by the fact that the module itself does not
disclose information but only if there are listings such as views where the
site builder / developer has not taken this into account.

Solution: 

Install the latest version:

  o If you use the opigno_forum module for Drupal 8.x, upgrade to opigno_forum
    8.x-1.2

Also see the Opigno forum project page.

Reported By: 

  o Nathaniel Catchpole of the Drupal Security Team

Fixed By: 

  o James Aparicio
  o Nathaniel Catchpole of the Drupal Security Team

Coordinated By: 

  o Nathaniel Catchpole of the Drupal Security Team

- -----------------------------------------------------------------------------

Opigno Learning path - Moderately critical - Access bypass -
SA-CONTRIB-2019-047

Project: 
Opigno Learning path
Date: 
2019-May-15
Security risk: 
Moderately critical 10/25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/
TD:Default
Vulnerability: 
Access bypass
Description: 

In certain configuration cases, when a learning path is configured as
semi-private, anonymous users are allowed to join a learning path when they
should not.

Solution: 

Install the latest version:

  o If you use the opigno learning path module for Drupal 8.x, upgrade to
    opigno_learning_path 8.x-1.4
  o If using the opigno lms distribution it is recommended to update the whole
    distribution to the latest version Opigno lms 8.x-1.5

Also see the Opigno Learning path project page.

Reported By: 

  o Nathaniel Catchpole of the Drupal Security Team

Fixed By: 

  o James Aparicio
  o Nathaniel Catchpole of the Drupal Security Team

Coordinated By: 

  o Nathaniel Catchpole of the Drupal Security Team

- -----------------------------------------------------------------------------

Multiple Registration - Critical - Access bypass - SA-CONTRIB-2019-048

Project: 
Multiple Registration
Date: 
2019-May-15
Security risk: 
Critical 19/25 AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:Default
Vulnerability: 
Access bypass
Description: 

This module enables you to use special routes for user registration with
special roles and custom field sets defined for the role.

The module doesn't sufficiently check which user roles can be registered under
the scenario when the user tries to register the user with the administrator
role.

This vulnerability is mitigated on sites where account approval is required as
the user starts as blocked but still gets the "Administrator" role.

Solution: 

Install the latest version:

  o If you use the Multiple registration module for Drupal 8.x, upgrade to
    Multiple registration 8.x-2.8

Reported By: 

  o iswilson

Fixed By: 

  o Yaroslav Samoylenko
  o iswilson
  o Cash Williams of the Drupal Security Team

Coordinated By: 
Cash Williams of the Drupal Security Team

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXNy2GmaOgq3Tt24GAQhvOA/9FxfyseV5FoXniRAr8MO/0w48ihXVev1N
OlIpbQijUN47/a2Ju752IxKgRwQabDVOukRCLy/lAIhyrfDvEr7ZQHTo10J1dQ6Y
gl2RVUXE51GgXsr5TVLChucpnEZtOwV/YgIatsDhebyav1jMyHk2vgHcltK+p9no
bzHTzv+gzhEov/ZYqU/EWsyd1y5rx+HXyaw0gbcpWxjzrGIBRSRW99nd3wu5VS2h
sH/VYzN+iR0pj/i/CaT1sosHYgX8HROoutJANw5VTsdDzgqwAJnkj+FMHS9Db783
bB/Zdo/avOggdQQfYtb/JhVarF6tLIzgYlknENMsSy+eM96moiZCMD7i2iP50EH4
hvQtU7mYbeRrfH+WXRMjbUebUq5OjhP8hy4uSaKlAcmY6VUFC0zwvnhnUbFekvWo
KqgMeYt+zjL1PXR1UAygmTtVLRAM8dne0Bp7Okqhp4mPZcVJJ0zRU5kB1JmOU8Q2
iQo7rkA5SMbEtteMkgj0YmxtBoC5iNhLbSl8QqQU6NM1+3aECHrj9/UtnwNiKI+o
992AQyZVyU0ygdvifbAEq7aq4VlsJKSMiYFMSsMOSqCQFHkdQc/NqCYAC0+k9fgB
zNtvn7pgTGsQCBMD+A6b3I1JXyvNp38lbKC6g4847gNZAYnHs/tbAvnaGgJTYcDT
A9ES7wkhi5Y=
=PJ4f
-----END PGP SIGNATURE-----