- Advisory ID: DRUPAL-SA-CONTRIB-2009-115
- Project: Autocomplete Widgets for CCK Text and Number (third-party module)
- Version: 6.x
- Date: 2009-December-30
- Security risk: Less Critical
- Exploitable from: Remote
- Vulnerability: Information Disclosure
Description
Autocomplete Widgets module adds 2 autocomplete widgets for CCK fields of type Text and Number.
The autocomplete callback implemented by this module does not honor permissions to access CCK fields, allowing users to see field values even though they are not authorized to access that information.
Versions affected
- Autocomplete Widgets module 6.x-1.2 and prior versions on the 6.x-1.x branch
Drupal core is not affected. If you do not use the contributed Autocomplete Widgets module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Autocomplete Widgets module for Drupal 6.x, upgrade to Autocomplete Widgets 6.x-1.3
See also the Autocomplete Widgets module project page.
Reported by
Fixed by
markus_petrux, the Autocomplete Widgets module maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.