Content management system publisher Drupal has issued fixes for what is has described as a moderately critical issue regarding its Twitter Post module that allows unauthorized users to change Twitter account settings or even delete an account.
The company said that the Twitter module used in Drupal versions 6.x and 7.x do not properly check for access thus allowing a tweet to be posted not only by the Drupal user, but by any authenticated Twitter account owner. In addition to being able to tweet, the vulnerability allows “any user to change the options for any other account, including deleting the attached Twitter account.”
Drupal has issued a solution requesting Twitter module users update to the latest Twitter module for Drupal.
A CVE identifier has been requested, but not yet issued for the problem.
