* Advisory ID: DRUPAL-SA-CONTRIB-2010-055 * Project: Simplenews (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access bypass
-------- DESCRIPTION ---------------------------------------------------------
Simplenews publishes and sends email newsletters to lists of subscribers, with both anonymous and authenticated users being able to opt-in to mailing lists. The user subscription form does not use the correct access permission resulting in any user with the permission 'subscribe to newsletters' being able to edit other user subscriptions. -------- VERSIONS AFFECTED ---------------------------------------------------
* Simplenews module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed Simplenews [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------
Install the latest version: * If you use the Simplenews module for Drupal 6.x upgrade to Simplenews 6.x-1.2 [2]
-------- REPORTED BY ---------------------------------------------------------
* rpk [3] * Opengl [4] * Miro Dietiker [5]
-------- FIXED BY ------------------------------------------------------------
* Erik Stielstra [6], module maintainer * Miro Dietiker [7]
-------- CONTACT -------------------------------------------------------------
The security team for Drupal [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact.
[1] http://drupal.org/project/simplenews [2] http://drupal.org/node/803254 [3] http://drupal.org/user/254717 [4] http://drupal.org/user/474706 [5] http://drupal.org/user/227761 [6] http://drupal.org/user/73854 [7] http://drupal.org/user/227761 [8] http://drupal.org/security-team