• Advisory ID: DRUPAL-SA-CONTRIB-2012-134
  • Project: Views (third-party module)
  • Version: 6.x
  • Date: 2012-August-29
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Privilege escalation

Description

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

The module incorrectly modifies the global user object in some situations when a view has a uid argument and performs validation on that argument.

This vulnerability is mitigated by the fact that it only affects sites with more roles than default where a role with a low role ID has more privileges than other roles on the site and where untrusted (i.e. potentially malicious) users are granted several of those roles.

CVE: Requested

Versions affected

  • Views 6.x-2.x versions prior to 6.x-2.16.

Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Views module for Drupal 6.x, upgrade to Views 6.x-2.16

Also see the project page.

Reported by

Fixed by

  • Derek Wright one of module maintainers, also of the Drupal Security Team

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.