• Advisory ID: DRUPAL-SA-2007-030
  • Project: Drupal core
  • Version: 4.7.x, 5.x
  • Date: 2007-October-17
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass


The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.

Versions affected

  • Drupal 4.7.x before version 4.7.8
  • Drupal 5.x before version 5.3.


Install the latest version:

  • If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
  • If you are running Drupal 5.x then upgrade to Drupal 5.3.

If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.

Reported by

The Drupal security team.


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.