A security issue has been reported in the Privatemsg module for Drupal, which can be exploited by malicious users to bypass certain security restrictions.
The security issue exists due to improper access permission checks in the Email Notification (pm_email_notify.module) module and can be exploited to modify the notification template.
Successful exploitation requires the "read privatemsg" permission.
The security issue is reported in versions prior to 6.x-1.2.
Solution
Update to version 6.x-1.2 or later.
Provided and/or discovered by
The vendor credits Lee Rowlands.
Original Advisory
SA-CONTRIB-2010-038:
http://drupal.org/node/784602
京公网安备 11010502034610号
暂无评论