Vigil@nce - Drupal Make Meeting Scheduler: access to polls
September 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a direct url, in order to access to votes of
Drupal Make Meeting Scheduler.
– Impacted products: Drupal Modules
– Severity: 2/4
– Creation date: 05/09/2013
DESCRIPTION OF THE VULNERABILITY
The Drupal Make Meeting Scheduler module provides a vote
management feature.
A anonymous user can read the subject, and vote. However, using
the node number, users can access to all votes.
An attacker can therefore use a direct url, in order to access to
votes of Drupal Make Meeting Scheduler.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Drupal-Make-Meeting-Scheduler-access-to-polls-13349