[Security-news] SA-CONTRIB-2009-115 - Autocomplete Widgets for CCK Text and Number - Information Disclosure

Wed Dec 30 18:00:23 UTC 2009

  * Advisory ID: DRUPAL-SA-CONTRIB-2009-115
  * Project: Autocomplete Widgets for CCK Text and Number (third-party module)
  * Version: 6.x
  * Date: 2009-December-30
  * Security risk: Less Critical
  * Exploitable from: Remote
  * Vulnerability: Information Disclosure

-------- DESCRIPTION  
---------------------------------------------------------

Autocomplete Widgets module adds 2 autocomplete widgets for CCK fields of
type Text and Number. The autocomplete callback implemented by this module
does not honor permissions to access CCK fields, allowing users to see field
values even though they are not authorized to access that information.
-------- VERSIONS AFFECTED  
---------------------------------------------------

  * Autocomplete Widgets module 6.x-1.2 and prior versions on the 6.x-1.x
    branch

Drupal core is not affected. If you do not use the contributed Autocomplete
Widgets [1] module, there is nothing you need to do.
-------- SOLUTION  
------------------------------------------------------------

Install the latest version:
  * If you use the Autocomplete Widgets module for Drupal 6.x, upgrade to
    Autocomplete Widgets 6.x-1.3 [2]

See also the Autocomplete Widgets module project page [3].
-------- REPORTED BY  
---------------------------------------------------------

mr.baileys [4]
-------- FIXED BY  
------------------------------------------------------------

markus_petrux [5], the Autocomplete Widgets module maintainer
-------- CONTACT  
-------------------------------------------------------------

The security team for Drupal can be reached at security at drupal.org or via
the form at http://drupal.org/contact.

[1] http://drupal.org/project/autocomplete_widgets
[2] http://drupal.org/node/670928
[3] http://drupal.org/project/autocomplete_widgets
[4] http://drupal.org/user/383424
[5] http://drupal.org/user/39593