Drupal CCK "Node Reference" Module < 6.x-2.8 Security Bypass Vulnerability

High Nessus Network Monitor Plugin ID 5643

Synopsis

The remote web server is hosting a web application that is vulnerable to a security bypass attack.

Description

The remote web server hosts a Drupal install that uses the CCK "Node Reference" module. Versions of the CCK Module earlier than 6.x-2.8 are potentially affected by a security bypass vulnerability. The application provides a backend URL that is used for asynchronous requests by the 'autocomplete' widget which fails to correctly check that the user had field level access to the source field.

Solution

Upgrade to Drupal CCK module 6.x-2.8 or later.

See Also

http://drupal.org/node/880736

Plugin Details

Severity: High

ID: 5643

File Name: 5643.prm

Family: CGI

Published: 2010/08/19

Modified: 2016/01/15

Dependencies: 1442

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2010/08/11

Vulnerability Publication Date: 2010/08/11

Reference Information

BID: 42400

OSVDB: 67090