- Advisory ID: DRUPAL-SA-CONTRIB-2009-041
- Project: Nodequeue (third-party module)
- Version: 5.x, 6.x
- Date: 2009-July-08
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
The Nodequeue module enables an administrator to arbitrarily put nodes in a group with an arbitrary order for any purpose, such as providing a listing of nodes or featuring a particular node. On the queue administration screen, users with permission to manipulate a queue are presented with an autocomplete textfield that allows them to type the title of a node and add it to a queue. This textfield fails to restrict unpublished node titles from being displayed to users who lack the 'administer content' permission, allowing unprivileged users to view the title of unpublished nodes.
Versions affected
- Nodequeue 6.x prior to 6.x-2.3
- Nodequeue 5.x prior to 5.x-2.8
Drupal core is not affected. If you do not use the contributed Nodequeue module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Nodequeue 6.x upgrade to Nodequeue 6.x-2.3
- If you use Nodequeue 5.x upgrade to Nodequeue 5.x-2.8
See also the Nodequeue project page.
Reported by
Ezra Barnett Gildesgame (ezra-g)
Fixed by
Ezra Barnett Gildesgame, the Nodequeue maintainer (ezra-g)
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.