CVE-2010-2353 Information

Description

The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget which allows remote attackers to discover titles and IDs of controlled nodes.

Reference

http://drupal.org/node/829566 http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043100.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043172.html http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043191.html http://osvdb.org/65615 http://secunia.com/advisories/40243 http://secunia.com/advisories/40318 http://www.vupen.com/english/advisories/2010/1546 https://exchange.xforce.ibmcloud.com/vulnerabilities/59515