• Advisory ID: DRUPAL-SA-CONTRIB-2009-083
  • Project: CCK Comment Reference (third-party module)
  • Version: 6.x
  • Date: 2009-October-28
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Access Bypass


The CCK Comment Reference module enables administrators to define node fields that are references to comments. Users can access comments through the autocomplete path that the module provides even if they don't have access to read comments.

Versions affected

Drupal core is not affected. If you do not use the contributed CCK Comment Reference module, there is nothing you need to do.


Install the latest version.

Reported by

Fixed by


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.