* Advisory ID: DRUPAL-SA-CONTRIB-2009-004
* Project: Notify
* Versions: 5.x
* Date: 2009-January-15
* Security risk: Moderately critical
* Exploitable from: Remote
* Vulnerability: Privilege escalation
---- DESCRIPTION ----
A user triggering the cron processing of the Notify module may end up getting
logged in as another user when the Notify operations do not complete
succesfully.
---- VERSIONS AFFECTED ----
* Versions of Notify for Drupal 5.x prior to 5.x-1.2
Drupal core is not affected. If you do not use the Notify module, there is
nothing you need to do.
---- SOLUTION ----
Install the latest version.
* If you use Notify for Drupal 5.x upgrade to 5.x-1.2 [
http://drupal.org/node/358495 ]
Also see the Notify project page [ http://drupal.org/project/notify ].
---- REPORTED BY ----
Philippe Jadin and Bill Kennedy
---- CONTACT ----
The security contact for Drupal can be reached at security at drupal.org or via
the form at [ http://drupal.org/contact ] and by selecting the security issues
category.
--
Unsubscribe from this newsletter: http://drupal.org/newsletter/confirm/remove/73ff60b93f11343t44
Comments