SA-CONTRIB-2013-041 - Chaos tool suite (ctools) - Access bypass

This CTools module provides a set of APIs and tools to improve the developer experience. The module doesn't sufficiently enforce node access when providing an autocomplete list of suggested node titles, allowing users with the "access content" permission to see the titles of nodes which they shou...

SA-CONTRIB-2013-011 - email2image - Access Bypass - Unsupported

This module creates images of user email addresses and email fields. The module doesn't sufficiently check node access restrictions when displaying such fields. This vulnerability is mitigated by the fact that it only impacts sites using node access. CVE identifiers issued CVE-2013-0257 Versions...

CVE-2012-4491

The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by nodeaccess modules, which allows remote attackers to access restricted nodes via unspecified vectors...

CVE-2012-4483

The commonsdiscussionviewsdefaultviews function in modules/features/commonsdiscussion/commonsdiscussion.viewsdefault.inc in the Drupal Commons module 6.x-2.x before 6.x-2.8 for Drupal does not properly enforce intended node access restrictions, which might allow remote attackers to obtain sensiti...

Design/Logic Flaw

The Announcements module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the "access announcements" permission to bypass node access restrictions and possibly have other unspecified impact...

CVE-2012-4500

The CVE-2012-4500 entry concerns Drupal’s Announcements module (6.x-1.x) prior to version 6.x-1.5. The vulnerability allows remote authenticated users who have the 'access announcements' permission to bypass node access restrictions, potentially leading to additional unspecified impact. Patch/fix...

CVE-2012-4491

The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by nodeaccess modules, which allows remote attackers to access restricted nodes via unspecified vectors...

CVE-2012-2153

Removed by vendor...

CVE-2012-2153

CVE-2012-2153 affects Drupal 7.x prior to 7.14. The issue is an improper restriction of access to nodes in a list when using a contributed node access module, allowing remote authenticated users with the “Access the content overview page” permission to read all published nodes via the admin/conte...

SA-CONTRIB-2012-120 - Monthly Archive by Node Type - Access Bypass (unsupported)

This module generates a monthly archive and block for specified node types, as well as an archive and block for whichever collection of node types you specify. The module doesn't sufficiently ensure node access for sites that use a node access system. This vulnerability is mitigated by the fact...

SA-CONTRIB-2012-117 - Location - Access Bypass

The Location module allows real-world geographic locations to be associated with Drupal nodes, including people, places, and other content. The Location Search sub-module adds a search page for searching for locations. The Location Search module fails to enforce content and user access permission...

SA-CONTRIB-2012-113 - Drupal Commons - Access Bypass

Drupal Commons is a ready-to-use solution for building either internal or external communities. The Drupal Commons feature a central module in the distribution includes a listing of recent comments on discussions. This listing of comments is powered by a view that doesn't fully enforce node acces...

SA-CONTRIB-2012-109 - Restrict node page view - Access bypass

This module enables you to disable direct access to node pages node/XXX based on nodetypes and permissions. The module issues a NODEACCESSALLOW if it's permissions are met, but does not respect the "administer nodes" or "access own unpublished content" permissions. The consequence is that this...

Design/Logic Flaw

The Protected Node module 6.x-1.x before 6.x-1.6 for Drupal does not properly "protect node access when nodes are accessed outside of the standard node view," which allows remote attackers to bypass intended access restrictions...

SA-CONTRIB-2012-101 - Protected Node - Access Bypass

The Protected Node module enables users to use a password to restrict access to an individual node or all nodes of a node type. The module doesn't sufficiently protect node access when nodes are accessed outside of the standard node view i.e. node/1 is protected but other lists are not. CVE:...

SA-CONTRIB-2012-093 - Node Embed - Access Bypass

Node Embed gives content editors an interface for selecting and embedding nodes using a WYSIWYG editor. The interface for selecting nodes is a page that had no access check, allowing users to view node titles they might not have access to. This issue only affects your site if you have unpublished...

SA-CONTRIB-2012-037 - Slidebox - access bypass

CVE: CVE-2012-2063 The Slidebox module allows webmasters do display a link to the next node in a jQuery box that slides in from the right side of the page after a user scrolls past a certain point. While the module checks for "published" status, the module does not contain sufficient usage of...

CVE-2011-2687

Drupal 7.x before 7.3 allows remote attackers to bypass intended nodeaccess restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table...

SA-CORE-2011-003 - Drupal core - Access bypass

CVE: CVE-2011-2726 Access bypass in private file fields on comments. Drupal 7 contains two new features: the ability to attach File upload fields to any entity type in the system and the ability to point individual File upload fields to the private file directory. If a Drupal site is using these...

SA-CORE-2011-002 - Drupal core - Access bypass

CVE: CVE-2011-2687 Access bypass in node listings Listings showing nodes but not JOINing the node table show all nodes regardless of restrictions imposed by the nodeaccess system. In core, this affects the taxonomy and the forum subsystem. This issue only affects sites using a node access module...