Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-083
- Project: CCK Comment Reference (third-party module)
- Version: 6.x
- Date: 2009-October-28
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
The CCK Comment Reference module enables administrators to define node fields that are references to comments. Users can access comments through the autocomplete path that the module provides even if they don't have access to read comments.
Versions affected
- CCK Comment Reference module versions Drupal 6.x prior to CCK Comment Reference 6.x-1.3
- Comment reference module versions Drupal 5.x prior to CCK Comment Reference 5.x-1.2
Drupal core is not affected. If you do not use the contributed CCK Comment Reference module, there is nothing you need to do.
Solution
Install the latest version.
- If you use the CCK Comment Reference module for Drupal 6.x upgrade to CCK Comment Reference 6.x-1.3
- If you use the CCK Comment Reference module for Drupal 6.x upgrade to CCK Comment Reference 5.x-1.2
Reported by
- Ben Jeavons of Drupal Security Team.
Fixed by
- Kristof De Jaeger, the module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
