CVE-2012-5557 Information

Description

The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal does not properly assign roles when there are more than three roles on the site and certain unspecified configurations which might allow remote authenticated users to gain privileges by performing certain operations as demonstrated by changing a password.

Reference

http://drupal.org/node/1840038 http://drupal.org/node/1840054 http://drupal.org/node/1840886 http://www.openwall.com/lists/oss-security/2012/11/20/4