The Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the access user profiles permission to access arbitrary users emails via vectors related to the user index method and the path to the user resource.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Services | Marc_ingram | 6.x-3.0 (including) | 6.x-3.0 (including) |
| Services | Marc_ingram | 6.x-3.0-alpha1 (including) | 6.x-3.0-alpha1 (including) |
| Services | Marc_ingram | 6.x-3.0-beta1 (including) | 6.x-3.0-beta1 (including) |
| Services | Marc_ingram | 6.x-3.0-beta2 (including) | 6.x-3.0-beta2 (including) |
| Services | Marc_ingram | 6.x-3.0-rc1 (including) | 6.x-3.0-rc1 (including) |
| Services | Marc_ingram | 6.x-3.0-rc2 (including) | 6.x-3.0-rc2 (including) |
| Services | Marc_ingram | 6.x-3.0-rc3 (including) | 6.x-3.0-rc3 (including) |
| Services | Marc_ingram | 6.x-3.0-rc4 (including) | 6.x-3.0-rc4 (including) |
| Services | Marc_ingram | 6.x-3.0-unstable1 (including) | 6.x-3.0-unstable1 (including) |
| Services | Marc_ingram | 6.x-3.0-unstable2 (including) | 6.x-3.0-unstable2 (including) |
| Services | Marc_ingram | 6.x-3.0-unstable3 (including) | 6.x-3.0-unstable3 (including) |
| Services | Marc_ingram | 6.x-3.1 (including) | 6.x-3.1 (including) |
| Services | Marc_ingram | 6.x-3.2 (including) | 6.x-3.2 (including) |
| Services | Marc_ingram | 6.x-3.x-dev (including) | 6.x-3.x-dev (including) |
References
- http://drupal.org/node/1842022
- http://drupal.org/node/1842026
- http://drupal.org/node/1853200
- http://www.openwall.com/lists/oss-security/2012/11/29/2
- http://www.securityfocus.com/bid/56723
- http://drupal.org/node/1842022
- http://drupal.org/node/1842026
- http://drupal.org/node/1853200
- http://www.openwall.com/lists/oss-security/2012/11/29/2
- http://www.securityfocus.com/bid/56723