CVE-2013-4228

MEDIUM

Organic Groups 7.x-2.x < 7.x-2.3 - Authenticated Private Group Access Bypass

Title source: llm
STIX 2.1

Description

The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors.

References (5)

Core 5
Core References
Vendor Advisory x_refsource_misc
https://drupal.org/node/2059765
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2013/08/10/1
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/61708
Release Notes, Vendor Advisory x_refsource_misc
https://drupal.org/node/2059755
VDB Entry, Vendor Advisory x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/86328

Scores

CVSS v3 4.3
EPSS 0.0116
EPSS Percentile 63.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-863
Status published
Products (3)
organic_groups_project/organic_groups 7.x-2.0 (12 CPE variants)
organic_groups_project/organic_groups 7.x-2.1
organic_groups_project/organic_groups 7.x-2.2
Published Feb 18, 2020
Tracked Since Feb 18, 2026