SA-CONTRIB-2012-095 - Simplenews - Information Disclosure

Simplenews publishes and sends newsletters. When subscribing to a Simplenews mailing list, confirmation may be required, and Simplenews may disclose the user’s e-mail address on the confirmation page. Further, due to the absence of a noindex tag, the list of e-mail addresses can subsequently be indexed by search engines.

CVE: CVE-2012-2724

Versions affected

• Simplenews 6.x-1.x versions prior to 6.x-1.4
• Simplenews 6.x-2.x versions prior to 6.x-2.0-alpha4
• Simplenews 7.x-1.x versions prior to 7.x-1.0-rc1

Drupal core is not affected. If you do not use the contributed Simplenews module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Simplenews module for Drupal 6.x, upgrade to Simplenews 6.x-1.4 or Simplenews 6.x-2.0-alpha4
• If you use the Simplenews module for Drupal 7.x, upgrade to Simplenews 7.x-1.0-rc1

Also see the Simplenews project page.

Reported by

• Laza
• Sascha Grossenbacher the module maintainer

Fixed by

• Sascha Grossenbacher the module maintainer
• Dave Reid of the Drupal Security Team

Coordinated by

• Dave Reid of the Drupal Security Team
• Greg Knaddison of the Drupal Security Team