Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2012-120
- Project: Monthly Archive by Node Type (third-party module)
- Version: 6.x
- Date: 2012-August-1
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
This module generates a monthly archive and block for specified node types, as well as an archive and block for whichever collection of node types you specify.
The module doesn't sufficiently ensure node access for sites that use a node access system.
This vulnerability is mitigated by the fact that it only affects sites using a node_access module.
CVE: Requested
Versions affected
- All versions of the "montharchive" (Monthly Archive by Node Type) module are affected.
Drupal core is not affected. If you do not use the contributed Monthly Archive by Node Type module, there is nothing you need to do.
Solution
Remove the module; all versions of the module are affected by this vulnerability.
Also see the Monthly Archive by Node Type project page.
Reported by
Fixed by
No fix was supplied.
Coordinated by
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
