View online: https://www.drupal.org/sa-contrib-2018-075

Project: GatherContent [1] Date: 2018-November-28 Security risk: *Moderately critical* 13∕25 AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass

Description:  This module enables you to import and export data from the GatherContent service.

The module didn't properly protect its administrative paths.

Solution:  * gathercontent 7.x versions prior to 7.x-3.5.

Drupal core is not affected. If you do not use the contributed GatherContent [3] module, there is nothing you need to do.

-------- SOLUTION ------------------------------------------------------------

Install the latest version:

* If you use the gathercontent module for Drupal 7.x, upgrade to gathercontent 7.x-3.5 [4]

Reported By:  * Francisco Rodriguez [5]

Fixed By:  * Roland Kovacsics [6]

Coordinated By:  * Michael Hess [7] of the Drupal Security Team * Greg Knaddison [8] of the Drupal Security Team

[1] https://www.drupal.org/project/gathercontent [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/gathercontent [4] https://www.drupal.org/project/gathercontent/releases/7.x-3.5 [5] https://www.drupal.org/user/2744561 [6] https://www.drupal.org/user/3528385 [7] https://www.drupal.org/u/mlhess [8] https://www.drupal.org/u/greggles