The hook_comments API in Drupal 4.7.x prior to 4.7.8 and 5.x prior to 5.3 does not pass publication status, which might allow malicious users to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
drupal drupal |