#VU7961 Security restrictions bypass in Drupal - CVE-2017-6923
Published: August 16, 2017
Vulnerability identifier: #VU7961
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-6923
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Drupal
Drupal
Software vendor:
Drupal
Drupal
Description
The vulnerability allows a remote attacker to gain unauthorized access to views.
The vulnerability exists due to a design error within views subsystem/module, which does not restrict access to the Ajax endpoint to only views configured to use Ajax.A remote unauthenticated attacker can read or update the displayed data via filter parameters.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to views.
The vulnerability exists due to a design error within views subsystem/module, which does not restrict access to the Ajax endpoint to only views configured to use Ajax.A remote unauthenticated attacker can read or update the displayed data via filter parameters.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to views.
Remediation
Update to version 8.3.7.