Vulnerability Details : CVE-2010-2353
The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes.
Exploit prediction scoring system (EPSS) score for CVE-2010-2353
Probability of exploitation activity in the next 30 days: 0.64%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 76 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-2353
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2010-2353
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-2353
-
http://drupal.org/node/829566
SA-CONTRIB-2010-065 - Content Construction Kit (CCK) - Access Bypass | Drupal.orgPatch
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043100.html
[SECURITY] Fedora 11 Update: drupal-cck-6.x.2.7-1.fc11
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/59515
Content Construction Kit (CCK) module for Drupal Node Reference information disclosure CVE-2010-2353 Vulnerability Report
-
http://www.vupen.com/english/advisories/2010/1546
Webmail | OVH- OVH
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043191.html
[SECURITY] Fedora 13 Update: drupal-cck-6.x.2.7-1.fc13
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043172.html
[SECURITY] Fedora 12 Update: drupal-cck-6.x.2.7-1.fc12
Products affected by CVE-2010-2353
- cpe:2.3:a:yves_chedemois:cck:6.x-2.6:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.5:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc10:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc9:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:beta:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.1:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.3:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.2:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-1.x-dev:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.4:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-3.x-dev:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc8:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc7:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-2.x-dev:*:*:*:*:*:*:*
- cpe:2.3:a:yves_chedemois:cck:6.x-1.0-alpha:*:*:*:*:*:*:*