- Advisory ID: DRUPAL-SA-CONTRIB-2012-134
- Project: Views (third-party module)
- Version: 6.x
- Date: 2012-August-29
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Privilege escalation
Description
The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.
The module incorrectly modifies the global user object in some situations when a view has a uid argument and performs validation on that argument.
This vulnerability is mitigated by the fact that it only affects sites with more roles than default where a role with a low role ID has more privileges than other roles on the site and where untrusted (i.e. potentially malicious) users are granted several of those roles.
CVE: Requested
Versions affected
- Views 6.x-2.x versions prior to 6.x-2.16.
Drupal core is not affected. If you do not use the contributed module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Views module for Drupal 6.x, upgrade to Views 6.x-2.16
Reported by
- Derek Wright of the Drupal Security Team
- John Preto
Fixed by
- Derek Wright one of module maintainers, also of the Drupal Security Team
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.