Drupal Security TeamDRUPAL-SA-CONTRIB-2013-073SA-CONTRIB-2013-073 - Make Meeting Scheduler - Access Bypass
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.0%
This module enables you to create polls accessible by an url with hash (e.g. example.com/makemeeting/sn9028xh3398) so that anonymous users can view and vote on the poll.
The module didn’t sufficiently check access when a poll is accessed directly via its node url (e.g. node/123). Note: a user with the hashed url can still access and vote on the poll as that is the intention of the module.
CVE identifier(s) issued
- CVE-2013-4379
Versions affected
- Make Meeting Scheduler 6.x-1.x versions prior to 6.x-1.3.
Drupal core is not affected. If you do not use the contributed Make Meeting Scheduler module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Make Meeting Scheduler module for Drupal 6.x, upgrade to Make Meeting Scheduler module 6.x-1.3
Also see the Make Meeting Scheduler project page.
Reported by
Fixed by
Coordinated by
- Greg Knaddison of the Drupal Security Team
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.0%