Description
The hook_comments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by (1) Organic groups and (2) Subscriptions.
Remediation
References
Related Vulnerabilities
WordPress Plugin Contact Form 7 Style Cross-Site Request Forgery (3.2)
MySQL CVE-2021-2305 Vulnerability (CVE-2021-2305)
PHP Data Processing Errors Vulnerability (CVE-2015-4147)
Joomla Incorrect Authorization Vulnerability (CVE-2010-1435)
Moodle Improper Handling of Insufficient Permissions or Privileges Vulnerability (CVE-2025-67848)