VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 1, 2012· Updated Apr 29, 2026

CVE-2012-2153

CVE-2012-2153

Description

Drupal 7.x before 7.14 allows authenticated users with 'Access the content overview page' permission to read all published nodes via admin/content when a contributed node access module is used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Drupal 7.x before 7.14 allows authenticated users with 'Access the content overview page' permission to read all published nodes via admin/content when a contributed node access module is used.

Vulnerability

In Drupal 7.x versions prior to 7.14, when a contributed node access module is used, the access control for nodes displayed in lists on the admin/content page is not properly enforced. This allows remote authenticated users who have the "Access the content overview page" permission to view all published nodes, even those they should not have access to. The issue affects Drupal 7.x before 7.14 [1].

Exploitation

An attacker must be a remote authenticated user with the "Access the content overview page" permission. By navigating to the admin/content page, the attacker can see a list of all published nodes, bypassing normal node access restrictions imposed by contributed node access modules.

Impact

Successful exploitation results in unauthorized information disclosure of all published nodes. The attacker gains read access to content that may be restricted by role or other access control modules, such as private or unpublished content that is technically published but access-controlled. No additional privileges are obtained.

Mitigation

The vulnerability is fixed in Drupal 7.14, released on May 2, 2012 [4]. Users should upgrade to Drupal 7.14 or later. There is no known workaround. Users of Drupal 5 or 6 are not affected as this issue is specific to Drupal 7.x.

References
  1. NVD - CVE-2012-2153
  2. Drupal 7.14 and Drupal 6.26 released

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
drupal/drupalPackagist
>= 7.0, < 7.147.14

Affected products

31
  • Drupal/Drupal30 versions
    cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*+ 29 more
    • cpe:2.3:a:drupal:drupal:7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha4:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha5:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha6:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:alpha7:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:beta1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:beta2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:beta3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:dev:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.10:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.11:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.12:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.13:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.6:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.7:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.8:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.9:*:*:*:*:*:*:*
    • cpe:2.3:a:drupal:drupal:7.x-dev:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:composer/drupal/drupal
    Range: >= 7.0, < 7.14

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

11

News mentions

0

No linked articles in our index yet.