Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2018-November-28
Vulnerability:
Access bypass
Description:
This module allows registered users to request email reminders to be sent at a specified time before an event.
The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access.
This can be mitigated with configuring DateReminder with Reminder Display: "Fieldset within a node" disables the potential exploit.
Solution:
Install the latest version:
- If you use the Date Reminder module for Drupal 7.x, upgrade to Date Reminder 7.x-1.15
Also see the Date Reminder project page.
Reported By:
Fixed By:
- dwillcox
- Balazs Janos Tatar Provisional Security Team member
Coordinated By:
