SA-CONTRIB-2011-040 Author Pane access bypass

2011-09-0700:00:00

Drupal Security Team

www.drupal.org

JSON

The Author Pane module provides information about users on a site. This module has integration with several other modules including the user locations of the Location module. If you enabled display of user locations the Author Pane module may have shown user locations to site visitors who did not have the permission “view all user locations” permission.

Versions affected

Author Pane 6.x-2.x versions prior to 6.x-2.2.

Drupal core is not affected. If you do not use the contributed Author Pane module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Author Pane module for Drupal 6.x, upgrade to Author Pane 6.x-2.2

Reported by

Fixed by

Michelle the module maintainer

Coordinated by

Greg Knaddison of the Drupal Security Team.

References

drupal.org/contact

drupal.org/project/author_pane

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/23570

drupal.org/user/36762

drupal.org/user/414872

drupal.org/user/667658

drupal.org/writing-secure-code

JSON