• Advisory ID: DRUPAL-SA-CONTRIB-2013-073
  • Project: Make Meeting Scheduler (third-party module)
  • Version: 6.x
  • Date: 2013-September-04
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass

Description

This module enables you to create polls accessible by an url with hash (e.g. example.com/makemeeting/sn9028xh3398) so that anonymous users can view and vote on the poll.

The module didn't sufficiently check access when a poll is accessed directly via its node url (e.g. node/123). Note: a user with the hashed url can still access and vote on the poll as that is the intention of the module.

CVE identifier(s) issued

  • CVE-2013-4379

Versions affected

  • Make Meeting Scheduler 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Make Meeting Scheduler module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Make Meeting Scheduler project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.