Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2009-089
- Project: Storm (third-party module)
- Version: 6.x
- Date: 2009-October-28
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
The Storm module provides a project management application for Drupal.
The module suffers a vulnerability whereby nodes of type 'storminvoiceitem' are not respecting the expected access permissions, potentially exposing the node title to unauthorized users.
- Versions of Storm for Drupal 6.x prior to 6.x-1.25
Versions of Storm for Drupal 5.x and 7.x are not affected.
Drupal core is not affected. If you do not use the 6.x version of the contributed Storm module, there is nothing you need to do.
Install the latest version:
- If you use Storm for Drupal 6.x upgrade to Storm 6.x-1.25
Also see the Storm project page.
- Magnity, the module maintainer
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.