CVE-2010-1548

Name of the Vulnerable Software and Affected Versions Chaos Tool Suite (aka CTools) module versions 6.x before 6.x-1.4 for Drupal

Description The auto-complete functionality does not follow access restrictions, allowing remote authenticated users with "access content" privileges to read the title of an unpublished node. This can be achieved by using a specific value, such as 'q=ctools/autocomplete/node/' accompanied by the first character of the node's title, in the API endpoint "q=ctools/autocomplete/node/".

Recommendations For Chaos Tool Suite (aka CTools) module versions 6.x before 6.x-1.4, update to version 6.x-1.4 or later to resolve the issue.