Views (for Drupal 7) - Less critical - Cross site scripting - SA-CONTRIB-2019-036

Project:

Views (for Drupal 7)

Date:

2019-March-13

Security risk:

Less critical 7 ∕ 25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon

Vulnerability:

Cross site scripting

Description:

This module enables you to create customized lists of data.

The module doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that a view must display a field with the format "Full data (serialized)" and an attacker must have the ability to store malicious markup in that field.

Solution:

Install the latest version:

If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.

Reported By:

Ralf Stamm

Fixed By:

Ralf Stamm
Damian Lee
Daniel Wehner
David Snopek of the Drupal Security Team
Nate Lampton

Coordinated By:

Michael Hess of the Drupal Security Team.

Additional information

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

Contribution record

Views (for Drupal 7) - Less critical - Cross site scripting - SA-CONTRIB-2019-036

Additional information

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community