Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3709 Date Reminder - Moderately critical - Access bypass 29 November 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Drupal Date Reminder Publisher: Drupal Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://www.drupal.org/sa-contrib-2018-076 - --------------------------BEGIN INCLUDED TEXT-------------------- Date Reminder - Moderately critical - Access bypass - SA-CONTRIB-2018-076 Project: Date Reminder Date: 2018-November-28 Security risk: Moderately critical 10/25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/ TD: Default Vulnerability: Access bypass Description: This module allows registered users to request email reminders to be sent at a specified time before an event. The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access. This can be mitigated with configuring DateReminder with Reminder Display: "Fieldset within a node" disables the potential exploit. Solution: Install the latest version: o If you use the Date Reminder module for Drupal 7.x, upgrade to Date Reminder 7.x-1.15 Also see the Date Reminder project page. Reported By: o than_nak87 Fixed By: o dwillcox o Balazs Janos Tatar Provisional Security Team member Coordinated By: Balazs Janos Tatar Provisional Security Team member - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW/87UmaOgq3Tt24GAQhg6BAA0b/vUB206kzFmQEYW4bmY7tJ1Z5VnTVT Sk/vPMIDx0nrJ5lnjv51pQg/26yvgzLeEx9xvizMx6UfbTkSXVDPP3B1ahYU3Pp4 n0CK7uTxA99RfxB/IxZJ/YeCtfaJBaKCUIWpg0xXGzJ8HMa76pwcFUHZvOFs08xE /eHhWm6dVa6mziv5HAMPjzAJMkEY6pVwjnstQcEiR96+0ETLjcL6J6Yx+LI28ZmV E4GW6wNbDQpLpH5nUElY9aTt/H84RsMnWuN521bMJYNCsS4HPcIHUO++URv7ONUL D8p6hOR5FtbqywE2LMqC/T0QrzWDgHRGflSWQSNgxu21mcDYdRSFp2Mm4m2FziIb EFIzgitcKdeTIAzH3hsUgqoDsKzWiRErQr71BLcduwt9zhtzMm3qEcjBMwS5KMQn mFyqyScpTQkpCryqMUy3wENcFOqSVt/ob3VgXBGKAQSJ7R2zUU8n/rmmdXRmk7cP k6OXYiv99LAu3BEe47tW9BmZHADgL3AR8w2/IjIRhCqYCA7rap1QfrYdvZIEx9+h Ijb8gzkjJAOLJQXa6amTlf2fZXukjNEnOOFRh6ErLRs0X/Mg9V/LXBk6EzU6bsNB kCGsxpzvW4zyRRMAFkdHcejIZdHrtXY6ywvi2yJzXHktoxxg2prJSQOu6LLEjlPB jPWaU7/IlLw= =ghCh -----END PGP SIGNATURE-----