Date
Severity
Moderately Critical
Vulnerability
Access Bypass
Affected versions
<7.x-1.9

Description

The AntiSpam module integrates the Akismet anti-spam service and provides moderation operations for flagging and managing spam content on nodes and comments.

The module passes a boolean expression $callback && !antispam_is_spam_moderator(...) directly to function_exists() instead of evaluating the two conditions separately. PHP coerces the boolean result to a string ("1" or ""), and function_exists() returns false for both, so the return FALSE denial is never reached.

This vulnerability is mitigated by the fact that an attacker must have a valid authenticated session and must know or guess valid content IDs to target. For nodes specifically, the access callback also enforces node_access('update'), meaning a typical authenticated user can only affect nodes they already have edit access to; the comment path ("antispam/comment/<cid>/...") carries no equivalent check and is more broadly exploitable.

Solution

Install the latest version.

If you use the AntiSpam module for Drupal 7, upgrade to antispam 7.x-1.9:


Reported by

Fixed by

  • Tag1 D7ES

Coordinated by

  • Tag1 D7ES