• Advisory ID: SA-CONTRIB-2012-111
  • Project: Security Questions (third-party module)
  • Version: 6.x, 7.x
  • Date: 2012-July-11
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass


This module provides administrator configurable challenge questions for use during the log in and password reset processes.

The module doesn't perform a proper access check, allowing a users' questions and answers to be edited by other users including anonymous users.

CVE: CVE-2012-4475

Versions affected

  • Security Questions 6.x-1.x versions prior to 6.x-1.1.
  • Security Questions 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Security Questions module, there is nothing you need to do.


Install the latest version:

Also see the Security Questions project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.