Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By greggles on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-089
- Project: Storm (third-party module)
- Version: 6.x
- Date: 2009-October-28
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
The Storm module provides a project management application for Drupal.
The module suffers a vulnerability whereby nodes of type 'storminvoiceitem' are not respecting the expected access permissions, potentially exposing the node title to unauthorized users.
Versions affected
- Versions of Storm for Drupal 6.x prior to 6.x-1.25
Versions of Storm for Drupal 5.x and 7.x are not affected.
Drupal core is not affected. If you do not use the 6.x version of the contributed Storm module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Storm for Drupal 6.x upgrade to Storm 6.x-1.25
Also see the Storm project page.
Reported by
Fixed by
- Magnity, the module maintainer
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.
