Views (for Drupal 7) - Moderately critical - Information disclosure - SA-CONTRIB-2019-035

Project:

Views (for Drupal 7)

Date:

2019-March-13

Security risk:

Moderately critical 10 ∕ 25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

Vulnerability:

Information disclosure

Description:

This module enables you to create customized lists of data.

The module doesn't sufficiently build queries when used with exposed filters, leading to a possible information disclosure vulnerability in certain rare circumstances.

This vulnerability is mitigated by the fact that a view must have an exposed filter on a field that is used on multiple entity types, both of which are included in the view.

Solution:

Install the latest version:

If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.

Reported By:

Lucas Hedding

Fixed By:

Klaus Purer
Lucas Hedding
Greg Knaddison of the Drupal Security Team
Aaron Zinck
Daniel Wehner
Damien McKenna of the Drupal Security Team
Vijaya Chandran Mani

Coordinated By:

Damien McKenna of the Drupal Security Team.

Additional information

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

Contribution record

Views (for Drupal 7) - Moderately critical - Information disclosure - SA-CONTRIB-2019-035

Additional information

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community