CVE-2013-1973
Description
The autocomplete callback in Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-rc1 does not properly handle node permissions, which allows remote authenticated users to obtain sensitive field values via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Autocomplete Widgets for Text and Number Fields module fails to enforce node access checks, allowing authenticated users to retrieve restricted field values.
Vulnerability
The Autocomplete Widgets for Text and Number Fields (autocomplete_widgets) module for Drupal 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.0-rc1 contains an access bypass vulnerability in its autocomplete callback [1][3]. The callback does not properly check node permissions before returning field values, allowing sensitive information to be retrieved by unauthorized users [3]. Versions affected: Autocomplete Widgets 6.x-1.x prior to 6.x-1.4, and 7.x-1.x prior to 7.x-1.0-rc1 [3].
Exploitation
An attacker must have a Drupal role that grants permission to create or edit content [3]. The attacker can then trigger the autocomplete callback on a node field they are not authorized to view, and the callback will return field values without enforcing node access control [3]. No special network position is required; the attack is performed through normal Drupal HTTP requests.
Impact
A remote authenticated attacker can obtain sensitive field values from nodes they should not be able to access [3]. This results in unauthorized information disclosure, potentially exposing confidential data stored in text or number fields. The attacker does not need to interact with other users, and the attack does not require any race window or write access [3].
Mitigation
Users should upgrade to the latest fixed versions: Autocomplete Widgets 6.x-1.4 for Drupal 6.x, or Autocomplete Widgets 7.x-1.0-rc1 for Drupal 7.x [3][4]. These releases were published on 16 April 2013 [2][4]. There is no known workaround for sites that cannot immediately upgrade. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of its publication date.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.0:-:-:*:-:drupal:*:*+ 7 more
- cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.0:-:-:*:-:drupal:*:*
- cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.1:-:-:*:-:drupal:*:*
- cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.2:-:-:*:-:drupal:*:*
- cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:6.x-1.3:-:-:*:-:drupal:*:*
- cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:alpha1:-:*:-:drupal:*:*
- cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:beta1:-:*:-:drupal:*:*
- cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:beta2:-:*:-:drupal:*:*
- cpe:2.3:a:autocomplete_widgets_project:autocomplete_widgets:7.x-1.x:dev:-:*:-:drupal:*:*
- Range: 6.x < 1.4, 7.x < 1.0-rc1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- drupal.org/node/1971848nvdPatch
- drupal.org/node/1971856nvdPatch
- drupal.org/node/1972976nvdPatchVendor Advisory
- osvdb.org/92532nvd
- secunia.com/advisories/52996nvd
News mentions
0No linked articles in our index yet.