Vulnerability identifier: #VU7961
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Drupal
Web applications /
CMS
Vendor: Drupal
Description
The vulnerability allows a remote attacker to gain unauthorized access to views.
The vulnerability exists due to a design error within views subsystem/module, which does not restrict access to the Ajax endpoint to only views configured to use Ajax.A remote unauthenticated attacker can read or update the displayed data via filter parameters.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to views.
Mitigation
Update to version 8.3.7.
Vulnerable software versions
Drupal: 8.3.0 - 8.3.6
External links
http://www.drupal.org/SA-CORE-2017-004
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.