- Advisory ID: DRUPAL-SA-CONTRIB-2010-112
- Project: oEmbed (third-party module)
- Version: 6.x
- Date: 2010-December-22
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Access Bypass
Description
The oEmbed module allows a Drupal site to embed content from oEmbed-providers as well as for a site to become an oEmbed-provider itself so that other oEmbed-enabled websites can embed its content.
If an external site requested to embed a node, the oEmbed provider did not check node access, resulting in content not otherwise accessable by a user to be embeddable.
This only affects sites that are using the oEmbed Provider sub-module.
Versions affected
- oEmbed module for Drupal 6.x versions prior to 6.x-0.8
Drupal core is not affected. If you do not use the contributed oEmbed module, together with its oEmbed provider module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the oEmbed module for Drupal 6.x upgrade to oEmbed 6.x-0.8.
See also the oEmbed project page.
Reported by
Fixed by
- Pelle Wessman, module co-maintainer
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
Learn more about the team and their policies, writing secure code for Drupal, and secure configuration of your site.