Security restrictions bypass in Drupal - CVE-2017-6923
Published: August 16, 2017
Vulnerability identifier: #VU7961
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-6923
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Drupal
Affected software:
Drupal
Drupal
Detailed vulnerability description
The vulnerability allows a remote attacker to gain unauthorized access to views.
The vulnerability exists due to a design error within views subsystem/module, which does not restrict access to the Ajax endpoint to only views configured to use Ajax.A remote unauthenticated attacker can read or update the displayed data via filter parameters.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to views.
The vulnerability exists due to a design error within views subsystem/module, which does not restrict access to the Ajax endpoint to only views configured to use Ajax.A remote unauthenticated attacker can read or update the displayed data via filter parameters.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to views.
How to mitigate CVE-2017-6923
Update to version 8.3.7.