Vulnerability Description
The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Drupal | Drupal | All versions |
| Yves Chedemois | Cck | 6.x-1.0-alpha |
Related Weaknesses (CWE)
References
- http://drupal.org/node/829566Patch
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043100.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043172.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043191.html
- http://osvdb.org/65615
- http://secunia.com/advisories/40243Vendor Advisory
- http://secunia.com/advisories/40318
- http://www.vupen.com/english/advisories/2010/1546
- https://exchange.xforce.ibmcloud.com/vulnerabilities/59515
- http://drupal.org/node/829566Patch
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043100.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043172.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043191.html
- http://osvdb.org/65615
- http://secunia.com/advisories/40243Vendor Advisory
FAQ
What is CVE-2010-2353?
CVE-2010-2353 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, whi...
How severe is CVE-2010-2353?
CVE-2010-2353 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-2353?
Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal, Yves Chedemois Cck.