Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2007-003.
- Project: Acidfree (third-party module).
- Version: 4.6.x, 4.7.x
- Date: 2007-Jan-23.
- Security risk: Highly critical.
- Exploitable from: Remote.
- Vulnerability: SQL Injection.
Description
Under certain circumstances, node titles are not escaped before being used in an SQL query, allowing a malicious user with the 'create acidfree albums' privilege and the ability to create acidfree content, to execute an SQL injection attack. These attacks may lead to administrator access.
Versions affected
All versions before
- Acidfree 4.6.x-1.0.
- Acidfree 4.7.x-1.0.
Drupal core is not affected. If you do not use the contributed Acidfree module, there is nothing you need to do.
Solution
Install the latest version:
See also the Acidfree project page.
Reported by
Brett Yagel (yagel).
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
