• Advisory ID: DRUPAL-SA-CONTRIB-2010-038
  • Project: Privatemsg (third-party module)
  • Version: 6.x
  • Date: 2010-April-28
  • Security risk: Less Critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass

Description

The Privatemsg module allows to send private messages between users. Additionally, the sub module Privatemsg Email Notification sends e-mail notification when such a message is sent. The page to configure the template for these e-mails does not use the correct access permission which allows all users with the read privatemsg permission to access and alter the settings on that page.

Versions affected

  • Privatemsg for Drupal 6.x versions prior to 6.x-1.2

Drupal core is not affected. If you do not use the contributed Privatemsg module, there is nothing you need to do.

Solution

Install the latest version.

Reported by

Fixed by

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.