CVE-2010-2353

Summary

CVE	CVE-2010-2353
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2010-06-21 19:30:00 UTC
Updated	2017-08-17 01:32:00 UTC
Description	The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes.

Risk And Classification

Problem Types: CWE-264

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Drupal	Drupal	All	All	All	All
Application	Drupal	Drupal	All	All	All	All
Application	Yves Chedemois	Cck	6.x-1.0-alpha	All	All	All
Application	Yves Chedemois	Cck	6.x-1.x-dev	All	All	All
Application	Yves Chedemois	Cck	6.x-2.0	All	All	All
Application	Yves Chedemois	Cck	6.x-2.0	beta	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc1	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc10	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc2	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc3	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc4	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc5	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc6	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc7	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc8	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc9	All	All
Application	Yves Chedemois	Cck	6.x-2.1	All	All	All
Application	Yves Chedemois	Cck	6.x-2.2	All	All	All
Application	Yves Chedemois	Cck	6.x-2.3	All	All	All
Application	Yves Chedemois	Cck	6.x-2.4	All	All	All
Application	Yves Chedemois	Cck	6.x-2.5	All	All	All
Application	Yves Chedemois	Cck	6.x-2.6	All	All	All
Application	Yves Chedemois	Cck	6.x-2.x-dev	All	All	All
Application	Yves Chedemois	Cck	6.x-3.x-dev	All	All	All
Application	Yves Chedemois	Cck	6.x-1.0-alpha	All	All	All
Application	Yves Chedemois	Cck	6.x-1.x-dev	All	All	All
Application	Yves Chedemois	Cck	6.x-2.0	All	All	All
Application	Yves Chedemois	Cck	6.x-2.0	beta	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc1	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc10	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc2	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc3	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc4	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc5	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc6	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc7	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc8	All	All
Application	Yves Chedemois	Cck	6.x-2.0	rc9	All	All
Application	Yves Chedemois	Cck	6.x-2.1	All	All	All
Application	Yves Chedemois	Cck	6.x-2.2	All	All	All
Application	Yves Chedemois	Cck	6.x-2.3	All	All	All
Application	Yves Chedemois	Cck	6.x-2.4	All	All	All
Application	Yves Chedemois	Cck	6.x-2.5	All	All	All
Application	Yves Chedemois	Cck	6.x-2.6	All	All	All
Application	Yves Chedemois	Cck	6.x-2.x-dev	All	All	All
Application	Yves Chedemois	Cck	6.x-3.x-dev	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 13 Update: drupal-cck-6.x.2.7-1.fc13	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 11 Update: drupal-cck-6.x.2.7-1.fc11	FEDORA	lists.fedoraproject.org
About Secunia Research \| Flexera	SECUNIA	secunia.com	Vendor Advisory
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
[SECURITY] Fedora 12 Update: drupal-cck-6.x.2.7-1.fc12	FEDORA	lists.fedoraproject.org
SA-CONTRIB-2010-065 - Content Construction Kit (CCK) - Access Bypass \| drupal.org	CONFIRM	drupal.org	Patch
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com
65615	OSVDB	osvdb.org
Fedora update for drupal-cck - Secunia.com	SECUNIA	secunia.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.