The Relevant Content module 5.x before 5.x-1.4 and 6.x before 6.x-1.5 for Drupal does not properly implement node access logic, which allows remote attackers to discover restricted node titles and relationships.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| nicholas_thompson | relevant_content | 6.x-1.3 |
| nicholas_thompson | relevant_content | 5.x-1.2 |
| nicholas_thompson | relevant_content | 5.x-1.3 |
| nicholas_thompson | relevant_content | 5.x-1.1 |
| nicholas_thompson | relevant_content | 6.x-1.4 |
| nicholas_thompson | relevant_content | 5.x-1.0 |
| nicholas_thompson | relevant_content | 5.x-1.x-dev |
| nicholas_thompson | relevant_content | 6.x-1.1 |
| nicholas_thompson | relevant_content | 6.x-1.0 |
| nicholas_thompson | relevant_content | 6.x-1.2 |
| nicholas_thompson | relevant_content | 6.x-1.x-dev |
The Node Quick Find module 6.x-1.1 for Drupal does not use db_rewrite_sql when presenting node titles, which allows remote attackers to bypass intended access restrictions and read potentially sensitive node titles via the autocomplete feature.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| nicholas_thompson | node_quick_find | 6.x-1.1 |