- Advisory ID: DRUPAL-SA-CONTRIB-2014-078
- Project: Notify (third-party module)
- Version: 7.x
- Date: 2014-August-13
- Security risk: 10/25 ( Moderately Critical) AC:Complex/A:User/CI:Some/II:None/E:Proof/TD:75
- Vulnerability: Access bypass
Description
The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites.
The Notify module does not sufficiently check whether the user has access to recently added or updated nodes and all the fields within the node before including the nodes in notification emails to a given user. This will expose node titles and potentially node teasers and fields to users who should not see them.
This vulnerability is mitigated by the fact that a site must use some form of access control and must be configured to include nodes with protected content in notifications.
CVE identifier(s) issued
- CVE-2014-9154
Versions affected
- Notify 7.x-1.0.
Drupal core is not affected. If you do not use the contributed Notify module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Notify module for Drupal 7.x, upgrade to Notify 7.x-1.1
Also see the Notify project page.
Reported by
- John Oltman of the Drupal Security Team
Fixed by
- Gisle Hannemyr one of the module maintainers
- Matt Chapman of the Drupal Security Team
- John Oltman of the Drupal Security Team
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at href="https://www.drupal.org/contact">https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, href="https://www.drupal.org/writing-secure-code">writing secure code for Drupal, and href="https://www.drupal.org/security/secure-configuration">securing your site.
