Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-055
- Project: Simplenews (third-party module)
- Version: 6.x
- Date: 2010-May-19
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
Simplenews publishes and sends email newsletters to lists of subscribers, with both anonymous and authenticated users being able to opt-in to mailing lists. The user subscription form does not use the correct access permission resulting in any user with the permission 'subscribe to newsletters' being able to edit other user subscriptions.
Versions affected
- Simplenews module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Simplenews module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Simplenews module for Drupal 6.x upgrade to Simplenews 6.x-1.2
Reported by
Fixed by
- Erik Stielstra, module maintainer
- Miro Dietiker
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.