SA-CONTRIB-2014-078 - Notify - Access bypass

The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites.

The Notify module does not sufficiently check whether the user has access to recently added or updated nodes and all the fields within the node before including the nodes in notification emails to a given user. This will expose node titles and potentially node teasers and fields to users who should not see them.

This vulnerability is mitigated by the fact that a site must use some form of access control and must be configured to include nodes with protected content in notifications.

CVE identifier(s) issued

• CVE-2014-9154

Versions affected

• Notify 7.x-1.0.

Drupal core is not affected. If you do not use the contributed Notify module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Notify module for Drupal 7.x, upgrade to Notify 7.x-1.1

Also see the Notify project page.

Reported by

• John Oltman of the Drupal Security Team

Fixed by

• Gisle Hannemyr one of the module maintainers
• Matt Chapman of the Drupal Security Team
• John Oltman of the Drupal Security Team

Coordinated by

• Greg Knaddison of the Drupal Security Team