- Advisory ID: DRUPAL-SA-CONTRIB-2010-038
- Project: Privatemsg (third-party module)
- Version: 6.x
- Date: 2010-April-28
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
The Privatemsg module allows to send private messages between users. Additionally, the sub module Privatemsg Email Notification sends e-mail notification when such a message is sent. The page to configure the template for these e-mails does not use the correct access permission which allows all users with the read privatemsg permission to access and alter the settings on that page.
Versions affected
- Privatemsg for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Privatemsg module, there is nothing you need to do.
Solution
Install the latest version.
- If you use Privatemsg for Drupal 6.x upgrade to Privatemsg 6.x-1.2
Reported by
Fixed by
- Lee Rowlands
- Sascha Grossenbacher, module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.