• Advisory ID: DRUPAL-SA-CONTRIB-2009-077
  • Project: Userpoints (third party module)
  • Version: 6.x
  • Date: 2009-October-21
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Information disclosure


The Userpoints module enables the users of a site to gain or lose points based on their activity. There is a vulnerability in the module which allows any user with the "View own userpoints" permission to view the userpoints data of any user, not just their own.

Versions affected

  • Userponts module versions 6.x prior to 6.x-1.1

Drupal core is not affected. If you do not use the contributed Userpoints module, there is nothing you need to do.


Install the latest version.

See also the Userpoints module project page.

Reported by


Fixed by

kbahey the module maintainer.


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.