This module allows registered users to request email reminders to be sent at a specified time before an event.
The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access.
This can be mitigated with configuring DateReminder with Reminder Display: "Fieldset within a node" disables the potential exploit.
Install the latest version:
- If you use the Date Reminder module for Drupal 7.x, upgrade to Date Reminder 7.x-1.15
Also see the Date Reminder project page.
- dwillcox
- Balazs Janos Tatar Provisional Security Team member