By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-077
- Project: Userpoints (third party module)
- Version: 6.x
- Date: 2009-October-21
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Information disclosure
Description
The Userpoints module enables the users of a site to gain or lose points based on their activity. There is a vulnerability in the module which allows any user with the "View own userpoints" permission to view the userpoints data of any user, not just their own.
Versions affected
- Userponts module versions 6.x prior to 6.x-1.1
Drupal core is not affected. If you do not use the contributed Userpoints module, there is nothing you need to do.
Solution
Install the latest version.
- If you use the Userpoints module for Drupal 6.x upgrade to Userpoints module 6.x-1.1
See also the Userpoints module project page.
Reported by
Fixed by
kbahey the module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.