Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Update on Views Ajax vulnerability for Drupal 7 Views and Drupal 8 core. -- PSA-2017-002

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Update on Views Ajax vulnerability for Drupal 7 Views and Drupal 8 core. -- PSA-2017-002


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Update on Views Ajax vulnerability for Drupal 7 Views and Drupal 8 core. -- PSA-2017-002
  • Date: Thu, 17 Aug 2017 03:05:40 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/PSA-2017-002

* Advisory ID: DRUPAL-PSA-2017-002
* Project: Drupal contributed modules
* Version: 7.x, 8.x
* Date: 2017-Aug-16

-------- DESCRIPTION
---------------------------------------------------------

The Drupal Security Team is now aware that the Views ajax access bypass
vulnerability (DRUPAL-SA-CONTRIB-2017-068 [1] and SA-CORE-2017-004 [2])
released 16 Aug 2017 is more severe than originally announced, because many
widely used contrib modules don't have access restrictions set on the default
views they provide. Any view that does not have access controls on the
default (master) display may be vulnerable. The vulnerability does not
require any authentication to be exploited. A successful exploit results in
some non-public data being made public.

Sites running versions of Views prior to 7.x-3.17 or Drupal 8 core prior to
version 8.3.7 (including Drupal 8.1.x and 8.2.x) should update immediately.
Drupal 7 core is only affected if the Views module is enabled.

If you are unable to update Views, you can mitigate this by editing views
that contain sensitive data in the Views UI and making sure they utilise one
of the permission controls - such as 'require a role' or 'require a
permission'. See Views permissions manual page [3] for more information.
-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal Security Team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [4].

Learn more about the Drupal Security Team and their policies [5], writing
secure code for Drupal [6], and securing your site [7].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [8]


[1] https://www.drupal.org/node/2902604
[2] https://www.drupal.org/SA-CORE-2017-004
[3]
https://www.drupal.org/docs/7/modules/views/views-howtos/views-permissions
[4] https://www.drupal.org/contact
[5] https://www.drupal.org/security-team
[6] https://www.drupal.org/writing-secure-code
[7] https://www.drupal.org/security/secure-configuration
[8] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Update on Views Ajax vulnerability for Drupal 7 Views and Drupal 8 core. -- PSA-2017-002, security-news, 17.08.2017

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang