CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
EPSS
Percentile
46.8%
The notify module allows users to subscribe to periodic emails which include all new or revised content and/or comments of specific content types, much like the daily newsletters sent by some websites.
The Notify module does not sufficiently check whether the user has access to recently added or updated nodes and all the fields within the node before including the nodes in notification emails to a given user. This will expose node titles and potentially node teasers and fields to users who should not see them.
This vulnerability is mitigated by the fact that a site must use some form of access control and must be configured to include nodes with protected content in notifications.
Drupal core is not affected. If you do not use the contributed Notify module,
there is nothing you need to do.
Install the latest version:
Also see the Notify project page.
www.drupal.org/contact
www.drupal.org/project/notify
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/143172
www.drupal.org/user/36762
www.drupal.org/user/409554
www.drupal.org/user/699926
www.drupal.org/writing-secure-code