Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Heine on
- Advisory ID: DRUPAL-SA-2007-011
- Project: Node familty (third-party module)
- Version: 5.x
- Date: 2007-March-6
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
Nodefamily is needed for building user profiles with the nodeprofile module. By manipulating URL arguments, authenticated users are able to access and modify the profile of other users.
Versions affected
- Nodefamily for Drupal 5.x before 5.x-1.0
Nodefamily for 4.7.x is not affected.
Drupal core is not affected. If you do not use the contributed Nodefamily module, there is nothing you need to do.
Solution
Install the latest version:
See also the Nodefamily project page.
Reported by
Ryan C.
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.