CVE-2009-0382

Vulnerability

The Internationalization (i18n) Translation module for Drupal 5.x, versions prior to 5.x-2.5, contains an unspecified access bypass vulnerability [1]. The module allows users with the translate node permission to create translations of existing content (nodes) by copying the original node's content into a new translation node. The flaw permits a user who can translate nodes to also view the content of unpublished nodes, even if they lack explicit permission to view unpublished nodes [1].

Exploitation

A remote attacker must have the translate node permission assigned to their Drupal user account. No other special network position or authentication is required beyond a valid Drupal login with that permission. The attacker can exploit the vulnerability by initiating the translation process on an unpublished node, which copies the node's content—thereby revealing the unpublished content to the attacker [1]. The exact vectors are unspecified, but the access bypass occurs during the translation operation.

Impact

Successful exploitation leads to unauthorized information disclosure. A user with translate node privileges can read the content of unpublished nodes, bypassing standard Drupal access controls that should restrict such viewing. The attacker gains read access to sensitive or draft content that would otherwise remain hidden from them. The impact is limited to information disclosure; no modification or deletion of nodes is reported.

Mitigation

The vulnerability is fixed in Internationalization (i18n) 5.x-2.5, released on January 14, 2009 [1]. Users of 5.x-2.x should upgrade to 5.x-2.5 immediately. Drupal core is not affected; only sites using the contributed i18n module are vulnerable. No workaround is provided. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.