8 matches found
EUVD-2009-4486
Malware in sbrugna...
CVE-2010-2353
The Node Reference module in Content Construction Kit CCK module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes...
Improper access control
The Node Reference module in Content Construction Kit CCK module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes...
Design/Logic Flaw
The Node Reference module in Content Construction Kit CCK module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes...
CVE-2010-2352
CVE-2010-2352 affects the Drupal Content Construction Kit (CCK) Node Reference module. The Node Reference feature in CCK 5.x (before 5.x-1.11) and 6.x (before 6.x-2.7) fails to perform access checks when displaying referenced nodes, enabling remote attackers to read nodes they should not access. ...
CVE-2010-2353
CVE-2010-2353 affects the Drupal Content Construction Kit (CCK) Node Reference module for Drupal 6.x prior to 6.x-2.7. The backend URL used by the autocomplete widget does not perform field‑level access checks on the source field, allowing remote attackers to discover titles and IDs of nodes the ...
SA-CONTRIB-2010-065 - Content Construction Kit (CCK) - Access Bypass
The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module can be configured to display referenced nodes as hidden, title, teaser or full view. Node access was not checked when displaying these...
Drupal Content Construction Kit模块HTML注入漏洞
BUGTRAQ ID: 32136 Content Construction Kit(CCK)是开源内容管理系统Drupal所使用的模块,用于向节点添加自定义字段。 CCK模块的管理接口没有正确地过滤某些字段标记和content-type名称便显示了上述内容,拥有administer content权限的用户可以通过提交恶意请求向页面中注入任意HTML和脚本代码。成功利用这个漏洞的攻击者可以获得完全的管理访问权限。 Drupal CCK 6.x Drupal CCK 5.x Drupal ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:...