Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2010-019
- Project: Weekly Archive by Node Type (third-party module)
- Version: 6.x-2.x
- Date: 2010-February-24
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
The Weekly Archive by Node Type module generates weekly archive pages and a block with links to the pages. You can specify the node types that will be included in the archive pages. In weekly summaries listings, the Weekly Archive by Node Type module does not construct its SQL query to respect node access restrictions, thus users can see listings of nodes which are restricted by a node access module and which should not be accessible.
- Weekly Archive by Node Type module for Drupal 6.x versions prior to 6.x-2.7
Drupal core is not affected. If you do not use the contributed Weekly Archive by Node Type module, there is nothing you need to do.
Install the latest version.
- If you use the Weekly Archive by Node Type module for Drupal 6.x upgrade to Weekly Archive by Node Type 6.x-2.7
- Aron Hsiao.
- Prometheus6, the module maintainer.
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.