CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
EPSS
Percentile
99.7%
Autocomplete Widgets module adds autocomplete widgets for Text and Number fields.
The autocomplete callback implemented by this module does not honor node permissions to access existing fields, allowing users to see field values even though they are not authorized to access that information.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create or edit content.
Drupal core is not affected. If you do not use the contributed Autocomplete Widgets for Text and Number Fields module, there is nothing you need to do.
Install the latest version:
Also see the Autocomplete Widgets for Text and Number Fields project page.
drupal.org/contact
drupal.org/node/1971848
drupal.org/node/1971856
drupal.org/project/autocomplete_widgets
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/124982
drupal.org/user/19668
drupal.org/user/36762
drupal.org/user/421070
drupal.org/user/52142
drupal.org/user/693536
drupal.org/user/8274
drupal.org/user/91990
drupal.org/writing-secure-code