The modules Group Manager and Learning Path for the learning management system Opigno under Drupal 8.x contained potential attack possibilities for so-called clickjacking. The risk rating in Drupal’s security advisories is “Less Critical”; Nevertheless, the Opigno developers advise users to upgrade to the available secure module versions.
In clickjacking, buttons on the web are deliberately overlaid with other images in order to induce users to click on supposedly harmless, but actually harmful content. In the case of the two Opigno modules, according to the advisories, clickjacking would have been possible because they did not support the setting of so-called X-frame options and at the same time prevented the setting of such options by other (security) modules.
Secured module versions
The Opigno developers recommend upgrading Group Manager 8.x-1.8 or later respectively Learning Path 8.x-1.11 or later. Users can find more information in the Security Advisories: