The Forward module 6.x-1.x before 6.x-1.21 and 7.x-1.x before 7.x-1.3 for Drupal does not properly enforce permissions for (1) Recent forwards, (2) Most forwarded, or (3) Dynamic blocks, which allows remote attackers to obtain node titles via unspecified vectors.
https://exchange.xforce.ibmcloud.com/vulnerabilities/72920
http://www.securityfocus.com/bid/51826
http://secunia.com/advisories/47851