Several contributed modules were incorrectly updated for the Drupal 6.x menu system in such a way that the intended access controls are likely to be by-passed by unprivileged users. In some cases, this includes access to the administrative functions of these modules, or access to content the user would otherwise be prohibited from seeing.
Drupal core is not affected. Disabling the affected modules provides an immediate workaround.
Drupal core is not affected. If you do not use a contributed module from the list above on a Drupal 6 site, there is nothing you need to do.
If you are running any of the modules from the list above, upgrade to the version specified in the list.
If you are the author of a contributed module being updated for Drupal 6.x, please read carefully the documentation on the Drupal 6 menu system to insure that you do not make the same mistake: <http://drupal.org/node/109157>
John Morahan and Peter Wolanin of the Drupal security team.
drupal.org/contact
drupal.org/node/109157
drupal.org/project/admin_hover
drupal.org/project/ajax_pic_preview
drupal.org/project/creativecommons_lite
drupal.org/project/live
drupal.org/project/ljxp
drupal.org/project/referral
drupal.org/project/rotor
drupal.org/project/shortcut
drupal.org/project/taxonomy_xml
drupal.org/user/49851
drupal.org/user/58170