CVE-2010-1548

Severity

35%

Complexity

68%

Confidentiality

48%

The auto-complete functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal does not follow access restrictions, which allows remote authenticated users, with "access content" privileges, to read the title of an unpublished node via a q=ctools/autocomplete/node/ value accompanied by the first character of the node's title.

The auto-complete functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal does not follow access restrictions, which allows remote authenticated users, with "access content" privileges, to read the title of an unpublished node via a q=ctools/autocomplete/node/ value accompanied by the first character of the node's title.

CVSS 2.0 Base Score 3.5. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N).

Overview

Type

Chaos Tool Suite Project ctools for Drupal

First reported 14 years ago

2010-05-21 20:30:00

Last updated 7 years ago

2017-08-17 01:32:00

Affected Software

Chaos Tool Suite Project ctools for Drupal 6.x-1.0

6.x-1.0
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.0 alpha1

6.x-1.0
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.0 alpha2

6.x-1.0
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.0 alpha3

6.x-1.0
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.0 beta1

6.x-1.0
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.0 beta2

6.x-1.0
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.0 beta3

6.x-1.0
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.0 beta4

6.x-1.0
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.0 release candidate 1

6.x-1.0
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.1

6.x-1.1
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.2

6.x-1.2
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.3

6.x-1.3
drupal

Chaos Tool Suite Project ctools for Drupal 6.x-1.x dev

6.x-1.x
drupal

References

http://drupal.org/node/803944

Patch, Vendor Advisory

20100520 Drupal Chaos Tools Suite (Ctools) Module Multiple Vulns

39884

Vendor Advisory

http://www.madirish.net/?article=458

40285

Patch

chaos-tool-permissions-sec-bypass(58724)

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.