- Advisory ID: DRUPAL-SA-2007-030
- Project: Drupal core
- Version: 4.7.x, 5.x
- Date: 2007-October-17
- Security risk: Not critical
- Exploitable from: Remote
- Vulnerability: Access bypass
The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.
- Drupal 4.7.x before version 4.7.8
- Drupal 5.x before version 5.3.
Install the latest version:
- If you are running Drupal 4.7.x then upgrade to Drupal 4.7.8.
- If you are running Drupal 5.x then upgrade to Drupal 5.3.
If you are unable to upgrade immediately, you can apply a patch to secure your installation until you are able to do a proper upgrade.
The Drupal security team.
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.