The Node access user reference module 6.x-3.x before 6.x-3.5 and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to content containing a user reference field when the author update/delete grants are enabled and the author's user account is deleted, which allows remote attackers to modify the content via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| node_access_user_reference_project | nodeaccess_userreference_module | 6.x-3.x |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.1 |
| node_access_user_reference_project | nodeaccess_userreference_module | 6.x-3.2 |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.2 |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.3 |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.6 |
| node_access_user_reference_project | nodeaccess_userreference_module | 6.x-3.1 |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.8 |
| node_access_user_reference_project | nodeaccess_userreference_module | 6.x-3.3 |
| node_access_user_reference_project | nodeaccess_userreference_module | 6.x-3.4 |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.9 |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.0 |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.5 |
| node_access_user_reference_project | nodeaccess_userreference_module | 6.x-3.0 |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.x |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.4 |
| node_access_user_reference_project | nodeaccess_userreference_module | 7.x-3.7 |