- Advisory ID: DRUPAL-SA-CONTRIB-2010-037
- Project: Decisions (third-party module)
- Version: 5.x, 6.x
- Date: 2010-April-28
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
Decisions is a replacement for poll.module and provides advanced voting systems and decision-making tools. It aims to enable groups to take decisions online in a manner that replicates and augments what is possible in face-to-face meeting. In some listings, the Decisions module does not construct its SQL query to respect node access restrictions, thus users can see listings of nodes which should not be accessible to them.
Versions affected
- Decisions for Drupal 5.x versions prior to 5.x-1.2
- Decisions for Drupal 6.x versions prior to 6.x-1.7
Drupal core is not affected. If you do not use the contributed Decisions module, there is nothing you need to do.
Solution
Install the latest version.
- If you use Decisions for Drupal 5.x upgrade to Decisions 5.x-1.2
- If you use Decisions for Drupal 6.x upgrade to Decisions 6.x-1.7
Reported by
Fixed by
- Antoine Beaupré, module maintainer.
- Ezra Barnett Gildesgame, module maintainer.
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.