• Advisory ID: PSA-2010-002
  • Project: Views (third-party module)
  • Versions: 5.x, 6.x
  • Date: 2010-June-16
  • Security risk: Not critical

Description

This is a public service announcement regarding the "administer views" permission provided by the Views module.

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. The module grants considerable power to users with "administer views" permission, with much of a site's behaviour being configurable via the views administration pages.

The permission "administer views" is therefore comparable in scope to the "administer site configuration" permission. Only grant this permission to trusted site administrators.

Versions affected

  • Views module for Drupal 5.x
  • Views module for Drupal 6.x

Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.

Solution

Only grant trusted site administrators the "administer views" permission.

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.