SA-CONTRIB-2010-088 - Content Construction Kit (CCK) - Access Bypass

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module provides a backend URL that is used for asynchronous requests by the "autocomplete" widget to locate nodes the user can reference. In som...

Fedora 13 : drupal-cck-6.x.2.7-1.fc13 (2010-10200)

Advisory ID: DRUPAL-SA-CONTRIB-2010-065 http://drupal.org/node/829566 Project: Content Construction Kit CCK third-party module Version: 5.x, 6.x Date: 2010-June-16 Security risk: Less Critical Exploitable from: Remote Vulnerability: Access Bypass -------- DESCRIPTION...

CVE-2010-2352

The Node Reference module in Content Construction Kit CCK module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes...

CVE-2010-2353

The Node Reference module in Content Construction Kit CCK module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes...

Improper access control

The Node Reference module in Content Construction Kit CCK module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes...

Design/Logic Flaw

The Node Reference module in Content Construction Kit CCK module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes...

CVE-2010-2352

CVE-2010-2352 affects the Drupal Content Construction Kit (CCK) Node Reference module. The Node Reference feature in CCK 5.x (before 5.x-1.11) and 6.x (before 6.x-2.7) fails to perform access checks when displaying referenced nodes, enabling remote attackers to read nodes they should not access. ...

CVE-2010-2353

The Node Reference module in Content Construction Kit CCK module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes...

CVE-2010-2352

The Node Reference module in Content Construction Kit CCK module 5.x before 5.x-1.11 and 6.x before 6.x-2.7 for Drupal does not perform access checks before displaying referenced nodes, which allows remote attackers to read controlled nodes...

CVE-2010-2353

CVE-2010-2353 affects the Drupal Content Construction Kit (CCK) Node Reference module for Drupal 6.x prior to 6.x-2.7. The backend URL used by the autocomplete widget does not perform field‑level access checks on the source field, allowing remote attackers to discover titles and IDs of nodes the ...

SA-CONTRIB-2010-065 - Content Construction Kit (CCK) - Access Bypass

The Content Construction Kit CCK project is a set of modules that allows you to add custom fields to nodes using a web browser. The CCK "Node Reference" module can be configured to display referenced nodes as hidden, title, teaser or full view. Node access was not checked when displaying these...

FreeBSD : drupal6-cck -- XSS (03d22656-2690-11de-8226-0030843d3802)

Drupal CCK plugin developer reports : The Node reference and User reference sub-modules, which are part of the Content Construction Kit CCK project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate...

CVE-2009-1069

Multiple cross-site scripting XSS vulnerabilities in the node edit form feature in Drupal Content Construction Kit CCK 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the 1 titles of candidate referenced nodes in the Node reference...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in the node edit form feature in Drupal Content Construction Kit CCK 6.x before 6.x-2.2, a module for Drupal, allow remote attackers to inject arbitrary web script or HTML via the 1 titles of candidate referenced nodes in the Node reference...

drupal6-cck -- cross-site scripting

Drupal CCK plugin developer reports: The Node reference and User reference sub-modules, which are part of the Content Construction Kit CCK project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate...

SA-CONTRIB-2009-013 CCK - Cross site scripting

The Node reference and User reference sub-modules, which are part of the Content Construction Kit CCK project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate...