Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-045
- Project: Auto Assign Role (third-party module)
- Version: 6.x
- Date: 2010-May-12
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
The Auto Assign Role serves three primary purposes. The first is to provide an automatic assignment of roles when a new account is created. The second is to allow the end user the option of choosing their own role or roles when they create their account. The third is to provide paths that will trigger a specific role when an account is created. Auto Assign Role recently added a node autocomplete that did not properly utilize the Drupal node access API. This may allow users with the 'administer autoassignrole' permission users to view the content of nodes that they should not have permission to access.
Versions affected
- AutoAssign Role module for Drupal 6.x version prior to 6.x-1.2.
Drupal core is not affected. If you do not use the contributed Auto Assign Role module for Drupal 6.x, there is nothing you need to do.
Solution
Install the latest version or disable the module.
If you use Auto Assign Role prior to 6.x-1.2, upgrade to Auto Assign Role 6.x-1.2
Reported by
Fixed by
- Kevin Bridges, the module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Read more about the Security Team and Security Advisories at http://drupal.org/security.
