• Advisory ID: DRUPAL-SA-CONTRIB-2009-089
  • Project: Storm (third-party module)
  • Version: 6.x
  • Date: 2009-October-28
  • Security risk: Less Critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass


The Storm module provides a project management application for Drupal.

The module suffers a vulnerability whereby nodes of type 'storminvoiceitem' are not respecting the expected access permissions, potentially exposing the node title to unauthorized users.

Versions affected

  • Versions of Storm for Drupal 6.x prior to 6.x-1.25

Versions of Storm for Drupal 5.x and 7.x are not affected.

Drupal core is not affected. If you do not use the 6.x version of the contributed Storm module, there is nothing you need to do.


Install the latest version:

Also see the Storm project page.

Reported by

Fixed by


The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.