- Advisory ID: DRUPAL-SA-CONTRIB-2012-134
- Project: Views (third-party module)
- Version: 6.x
- Date: 2012-August-29
- Security risk: Critical
- Exploitable from: Remote
- Vulnerability: Privilege escalation
The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.
The module incorrectly modifies the global user object in some situations when a view has a uid argument and performs validation on that argument.
This vulnerability is mitigated by the fact that it only affects sites with more roles than default where a role with a low role ID has more privileges than other roles on the site and where untrusted (i.e. potentially malicious) users are granted several of those roles.
- Views 6.x-2.x versions prior to 6.x-2.16.
Install the latest version:
- If you use the Views module for Drupal 6.x, upgrade to Views 6.x-2.16
- Derek Wright one of module maintainers, also of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.