[IT-SecNots] [Security-news] Views - Less Critical - Access Bypass - SA-CONTRIB-2016-036

[security-news AT drupal.org]

View online: https://www.drupal.org/node/2749333

  * Advisory ID: DRUPAL-SA-CONTRIB-2016-036
  * Project: Views [1]     (third-party module)
  * Version: 7.x
  * Date: 2016-June-15
  * Security risk: 7/25 ( Less Critical)
    AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
  * Vulnerability: Access bypass

-------- DESCRIPTION
---------------------------------------------------------

An access bypass vulnerability exists in the Views module, where users
without the "View content count" permission can see the number of hits
collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to show
a "Content statistics" field, such as "Total views", "Views today" or "Last
visit".

The same vulnerability exists in the Drupal 8 core Views module
SA-CORE-2016-002 [3]


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

  * /A CVE identifier [4] will be requested, and added upon issuance, in
    accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

  * Views 7.x-3.x versions prior to 7.x-3.14.

Drupal core is not affected. If you do not use the contributed Views [5]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

  * If you use the Views module for Drupal 7.x, upgrade to  Views 7.x-3.14 
[6]

Also see the Views [7] project page.

-------- REPORTED BY
---------------------------------------------------------

  * Nickolay Leshchev [8]

-------- FIXED BY
------------------------------------------------------------

  * Nathaniel Catchpole [9] of the Drupal Security Team
  * Greg Knaddison [10] of the Drupal Security Team
  * Nickolay Leshchev [11]
  * Stefan Ruijsenaars [12] of the Drupal Security Team
  * David Snopek [13] of the Drupal Security Team
  * Daniel Wehner [14]

-------- COORDINATED BY
------------------------------------------------------

  * xjm [15] of the Drupal Security Team
  * Michael Hess [16] of the Drupal Security Team
  * Klaus Purer [17] of the Drupal Security Team
  * Stefan Ruijsenaars [18] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [19].

Learn more about the Drupal Security team and their policies [20], writing
secure code for Drupal [21], and  securing your site [22].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [23]


[1] https://www.drupal.org/project/views
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/SA-CORE-2016-002
[4] http://cve.mitre.org/
[5] https://www.drupal.org/project/views
[6] https://www.drupal.org/node/2749373
[7] https://www.drupal.org/project/views
[8] https://www.drupal.org/user/982724
[9] https://www.drupal.org/user/35733
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/982724
[12] https://www.drupal.org/user/551886
[13] https://www.drupal.org/user/266527
[14] https://www.drupal.org/user/99340
[15] https://www.drupal.org/user/65776
[16] https://www.drupal.org/user/102818
[17] https://www.drupal.org/user/262198
[18] https://www.drupal.org/user/551886
[19] https://www.drupal.org/contact
[20] https://www.drupal.org/security-team
[21] https://www.drupal.org/writing-secure-code
[22] https://www.drupal.org/security/secure-configuration
[23] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news