Voting starts in March for the Drupal Association Board election.
- Advisory ID: DRUPAL-SA-CONTRIB-2013-002
- Project: Payment (third-party module)
- Version: 7.x
- Date: 2013-January-09
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Payment enables other modules to make payments using a variety of payment processing services.
The module incorrectly grants access when checking if a user can view payments, allowing a user to access the payments of other users.
CVE identifier(s) issued
- Payment 7.x-1.x versions prior to 7.x-1.3.
Drupal core is not affected. If you do not use the contributed Payment module, there is nothing you need to do.
Update to Payment 7.x-1.3 or later.
Also see the Payment project page.
- Bart Feenstra (the module maintainer)
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.