SA-CONTRIB-2009-004 - Notify - Privilege escalation

By heine on 15 Jan 2009 at 08:37 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2009-004
Project: Notify
Versions: 5.x
Date: 2009-January-15
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Privilege escalation

Description

A user triggering the cron processing of the Notify module may end up getting logged in as another user when the Notify operations do not complete succesfully.

Versions Affected

Versions of Notify for Drupal 5.x prior to 5.x-1.2

Drupal core is not affected. If you do not use the Notify module, there is nothing you need to do.

Solution

Install the latest version.

If you use Notify for Drupal 5.x upgrade to 5.x-1.2

Also see the Notify project page.

Reported by

Philippe Jadin and Bill Kennedy

Contact

The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact and by selecting the security issues category.

SA-CONTRIB-2009-004 - Notify - Privilege escalation

Description

Versions Affected

Solution

Reported by

Contact

New forum topics

News items

Our community

Documentation

Drupal code base

Governance of community