Description
The User Alert module provides a system for displaying persistent messages to users that can be dismissed and won't reappear for that user. The module includes a JavaScript endpoint that accepts a message parameter containing a node ID (NID) and records the dismissal in the database.
The module doesn't properly validate that the requesting user has permission to view the node being dismissed.
This vulnerability is mitigated by the requirement for authenticated user access to trigger the endpoint, and the fact that the vulnerability only affects the dismissal tracking system rather than exposing sensitive content directly. However, it could be used to gather information about node existence and potentially interfere with content management workflows.
Solution
Install the latest version.
If you use the User Alert module for Drupal 7, upgrade to User Alert 7.x-1.11:
Reported by
Fixed by
- Tag1 D7ES
Coordinated by
- Tag1 D7ES