• Advisory ID: DRUPAL-SA-CONTRIB-2009-077
  • Project: Userpoints (third party module)
  • Version: 6.x
  • Date: 2009-October-21
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Information disclosure

Description

The Userpoints module enables the users of a site to gain or lose points based on their activity. There is a vulnerability in the module which allows any user with the "View own userpoints" permission to view the userpoints data of any user, not just their own.

Versions affected

  • Userponts module versions 6.x prior to 6.x-1.1

Drupal core is not affected. If you do not use the contributed Userpoints module, there is nothing you need to do.

Solution

Install the latest version.

See also the Userpoints module project page.

Reported by

mr.baileys.

Fixed by

kbahey the module maintainer.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.