Date Reminder - Moderately critical - Access bypass - SA-CONTRIB-2018-076

Project: Date ReminderDate: 2018-November-28Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: This module allows registered users to request email reminders to be sent at a specified time before an event.
The module doesn't sufficiently check access to nodes, allowing a user to set a reminder on a node that the user shouldn't be able to access.
This can be mitigated with configuring DateReminder with Reminder Display: "Fieldset within a node" disables the potential exploit.Solution: Install the latest version:

Also see the Date Reminder project page.Reported By: 

Fixed By: 

Coordinated By: 

  • Balazs Janos Tatar Provisional Security Team member
  • Path to article https://www.drupal.org/sa-contrib-2018-076