CVE-2010-1548 Information

Description

The auto-complete functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal does not follow access restrictions which allows remote authenticated users with \access content\ privileges to read the title of an unpublished node via a q=ctools/autocomplete/node/ value accompanied by the first character of the node’s title.

Reference

http://drupal.org/node/803944 http://seclists.org/fulldisclosure/2010/May/272 http://secunia.com/advisories/39884 http://www.madirish.net/?article=458 http://www.securityfocus.com/bid/40285 https://exchange.xforce.ibmcloud.com/vulnerabilities/58724