The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author update/delete grants are enabled and the authors user account is deleted, which allows remote attackers to modify the content via unspecified vectors.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.0 (including) | 6.x-3.0 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.0-rc1 (including) | 6.x-3.0-rc1 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.0-rc2 (including) | 6.x-3.0-rc2 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.0-rc3 (including) | 6.x-3.0-rc3 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.0-rc4 (including) | 6.x-3.0-rc4 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.0-rc5 (including) | 6.x-3.0-rc5 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.0-rc6 (including) | 6.x-3.0-rc6 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.1 (including) | 6.x-3.1 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.2 (including) | 6.x-3.2 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.3 (including) | 6.x-3.3 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.4 (including) | 6.x-3.4 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 6.x-3.x-dev (including) | 6.x-3.x-dev (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.0 (including) | 7.x-3.0 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.0-rc1 (including) | 7.x-3.0-rc1 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.0-rc2 (including) | 7.x-3.0-rc2 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.0-rc3 (including) | 7.x-3.0-rc3 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.0-rc4 (including) | 7.x-3.0-rc4 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.0-rc5 (including) | 7.x-3.0-rc5 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.1 (including) | 7.x-3.1 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.2 (including) | 7.x-3.2 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.3 (including) | 7.x-3.3 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.4 (including) | 7.x-3.4 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.5 (including) | 7.x-3.5 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.6 (including) | 7.x-3.6 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.7 (including) | 7.x-3.7 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.8 (including) | 7.x-3.8 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.9 (including) | 7.x-3.9 (including) |
| Nodeaccess_userreference_module | Node_access_user_reference_project | 7.x-3.x-dev (including) | 7.x-3.x-dev (including) |