• Advisory ID: DRUPAL-SA-CONTRIB-2010-067
  • Project: Views (third-party module)
  • Version: 5.x, 6.x
  • Date: 2010-June-16
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities


The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented.

Cross Site Request Forgery (CSRF)

The Views UI module, which is included with Views, can be used to enable/disable Views by following a link to a particular page (e.g. admin/build/views/disable/frontpage). As no protections, such as form tokens, are in place to prevent forged requests to these pages, the feature is vulnerable to a Cross Site Request Forgery (CSRF) that would allow an attacker to enable/disable all Views on a site.

Mitigating factors: If Views UI module is disabled Views will no longer be affected by this vulnerability.

This issue affects Views for Drupal 5 and Drupal 6.

Cross Site Scripting (XSS)

Under certain circumstances, Views could display URLs or aggregator feed titles without escaping, resulting in a Cross Site Scripting (XSS) vulnerability. An attacker could exploit this to gain full administrative access.

This issue affects Views for Drupal 6 only.

Versions affected

  • Views module for Drupal 5.x versions prior to 5.x-1.8
  • Views module for Drupal 6.x versions prior to 6.x-2.11

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.


Install the latest version:

  • If you use the Views module for Drupal 5.x upgrade to Views 5.x-1.8
  • If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.11

See also the Views project page.

Reported by

  • The Cross Site Request Forgery (CSRF) vulnerability was reported by Martin Barbella (mbarbella).
  • The Cross Site Scripting (XSS) vulnerabilities were reported by Earl Miles (merlinofchaos), module maintainer and Daniel Wehner (dereine), module co-maintainer

Fixed by


The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.