* Advisory ID: DRUPAL-SA-CONTRIB-2010-055 * Project: Simplenews (third-party module) * Version: 6.x * Date: 2010-May-19 * Security risk: Less Critical * Exploitable from: Remote * Vulnerability: Access bypass -------- DESCRIPTION --------------------------------------------------------- Simplenews publishes and sends email newsletters to lists of subscribers, with both anonymous and authenticated users being able to opt-in to mailing lists. The user subscription form does not use the correct access permission resulting in any user with the permission 'subscribe to newsletters' being able to edit other user subscriptions. -------- VERSIONS AFFECTED --------------------------------------------------- * Simplenews module for Drupal 6.x versions prior to 6.x-1.2 Drupal core is not affected. If you do not use the contributed Simplenews [1] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Simplenews module for Drupal 6.x upgrade to Simplenews 6.x-1.2 [2] -------- REPORTED BY --------------------------------------------------------- * rpk [3] * Opengl [4] * Miro Dietiker [5] -------- FIXED BY ------------------------------------------------------------ * Erik Stielstra [6], module maintainer * Miro Dietiker [7] -------- CONTACT ------------------------------------------------------------- The security team for Drupal [8] can be reached at security at drupal.org or via the form at http://drupal.org/contact. [1] http://drupal.org/project/simplenews [2] http://drupal.org/node/803254 [3] http://drupal.org/user/254717 [4] http://drupal.org/user/474706 [5] http://drupal.org/user/227761 [6] http://drupal.org/user/73854 [7] http://drupal.org/user/227761 [8] http://drupal.org/security-team