Some security issues have been reported in the Drupal Project and Project issue tracking modules, which can be exploited by malicious users to disclose sensitive information and bypass certain access restrictions.
The security issues are caused due to the improper enforcing of the "access projects", "access own projects", "access project issues" and "access own project issues" permissions. This can be exploited to disclose project names and other unspecified sensitive information about project or issues, via the Tracker Module and the "Recent posts" page, if a project or issue is promoted to the front page, and also to disclose a project's CVS activity if the node identifier is known.
The security issues are reported in the following products:
* Project module versions prior to 5.x-1.0, 4.7.x-2.3, and 4.7.x-1.3
* Project issue tracking module versions prior to 5.x-1.0, 4.7.x-2.4, and 4.7.x-1.4
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: Drupal Project and Project Issue Tracking Modules Insecure Permissions
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.