- Advisory ID: DRUPAL-SA-CONTRIB-2009-089
- Project: Storm (third-party module)
- Version: 6.x
- Date: 2009-October-28
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
The Storm module provides a project management application for Drupal.
The module suffers a vulnerability whereby nodes of type 'storminvoiceitem' are not respecting the expected access permissions, potentially exposing the node title to unauthorized users.
Versions affected
- Versions of Storm for Drupal 6.x prior to 6.x-1.25
Versions of Storm for Drupal 5.x and 7.x are not affected.
Drupal core is not affected. If you do not use the 6.x version of the contributed Storm module, there is nothing you need to do.
Solution
Install the latest version:
- If you use Storm for Drupal 6.x upgrade to Storm 6.x-1.25
Also see the Storm project page.
Reported by
Fixed by
- Magnity, the module maintainer
Contact
The security contact for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.