The commons_discussion_views_default_views function in modules/features/commons_discussion/commons_discussion.views_default.inc in the Drupal Commons module 6.x-2.x before 6.x-2.8 for Drupal does not properly enforce intended node access restrictions, which might allow remote attackers to obtain sensitive information via the recent comments listing.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Commons | Acquia | 6.x-2.4 (including) | 6.x-2.4 (including) |
| Commons | Acquia | 6.x-2.5 (including) | 6.x-2.5 (including) |
| Commons | Acquia | 6.x-2.6 (including) | 6.x-2.6 (including) |
| Commons | Acquia | 6.x-2.7 (including) | 6.x-2.7 (including) |
| Commons | Acquia | 6.x-2.x-dev (including) | 6.x-2.x-dev (including) |
References
- http://drupal.org/node/1679820
- http://drupal.org/node/1679908
- http://drupalcode.org/project/commons.git/commitdiff/8ef688b
- http://www.openwall.com/lists/oss-security/2012/10/04/6
- http://www.openwall.com/lists/oss-security/2012/10/07/1
- http://drupal.org/node/1679820
- http://drupal.org/node/1679908
- http://drupalcode.org/project/commons.git/commitdiff/8ef688b
- http://www.openwall.com/lists/oss-security/2012/10/04/6
- http://www.openwall.com/lists/oss-security/2012/10/07/1