CVE-2010-0752 in week
Summary
by MITRE
The week_post_page function in the Weekly Archive by Node Type module 6.x before 6.x-2.7 for Drupal does not properly implement node access restrictions when constructing SQL queries, which allows remote attackers to read restricted node listings via unspecified vectors.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/01/2026
The vulnerability identified as CVE-2010-0752 affects the Weekly Archive by Node Type module for Drupal 6.x versions prior to 6.x-2.7. This issue represents a critical access control flaw that undermines the fundamental security mechanisms designed to protect node-level content within Drupal-based systems. The vulnerability specifically resides within the week_post_page function which is responsible for generating weekly archive listings based on node types, creating a scenario where unauthorized users can bypass normal access controls to view restricted content.
The technical flaw manifests in the improper implementation of node access restrictions during SQL query construction within the module's database interaction layer. When the week_post_page function processes requests for weekly archive listings, it fails to adequately enforce Drupal's node access controls that should normally prevent users from viewing content they do not have permission to access. This improper handling occurs during the SQL query generation phase where the module does not correctly incorporate node access restrictions into its database queries, allowing malicious actors to construct requests that retrieve node listings containing restricted content.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables remote attackers to systematically enumerate and access restricted content across multiple node types within the Drupal system. Attackers can exploit this vulnerability through unspecified vectors that likely involve manipulating request parameters to bypass access controls, potentially gaining access to confidential information, unpublished content, or restricted node listings that should only be visible to authorized users with appropriate permissions. The vulnerability affects the core node access control model of Drupal, undermining the security boundary between different user roles and their respective content access privileges.
This vulnerability maps to CWE-284 which describes improper access control, specifically focusing on inadequate access restrictions in database query construction. The issue also aligns with ATT&CK technique T1213.002 which involves data from information repositories, as attackers can systematically extract restricted data through the compromised module. The vulnerability demonstrates a classic case of privilege escalation through improper access control implementation, where a module that should enforce access restrictions instead creates a pathway for unauthorized access to restricted content. Organizations running affected Drupal versions should immediately apply the security patch released in version 6.x-2.7 to remediate this vulnerability and restore proper node access controls within their content management systems.
The broader implications of this vulnerability highlight the critical importance of proper access control implementation in content management systems, where modules that interact with database queries must properly enforce existing security policies. This issue demonstrates how seemingly minor implementation flaws in access control mechanisms can create significant security risks, particularly in systems where content access is governed by complex user permission models. The vulnerability serves as a reminder of the need for thorough security testing of module implementations, especially those that handle database queries and user access controls.