• Advisory ID: SA-CONTRIB-2012-113
  • Project: Drupal Commons (third-party module)
  • Version: 6.x
  • Date: 2012-July-11
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

Drupal Commons is a ready-to-use solution for building either internal or external communities. The Drupal Commons feature (a central module in the distribution) includes a listing of recent comments on discussions. This listing of comments is powered by a view that doesn't fully enforce node access restrictions, which can expose comments for nodes that the user might not have access to view.

CVE: Requested

Versions affected

  • Drupal Commons 6.x-2.x versions prior to 6.x-2.8.

Drupal core is not affected. If you do not use the contributed Drupal Commons module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commons project page.

Reported by

Fixed by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.