Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2010-111
- Project: Views (third-party module)
- Version: 6.x
- Date: 2010-December-15
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Multiple vulnerabilities
Description
The Views module provides a flexible method for Drupal site designers to control how lists and tables of content are presented. Under certain circumstances, Views could display parts of the page path without escaping, resulting in a relected Cross Site Scripting (XSS) vulnerability. An attacker could exploit this to gain full administrative access.
Mitigating factors: This vulnerability only occurs with a specific combination of configuration options for a specific View, but this combination is used in the default Views provided by some additional modules. A malicious user would need to get an authenticated administrative user to visit a specially crafted URL.
Versions affected
- Views module for Drupal 6.x versions prior to 6.x-2.12
Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Views module for Drupal 6.x upgrade to Views 6.x-2.12
See also the Views project page.
Reported by
Fixed by
- Earl Miles (merlinofchaos), module maintainer
Contact
The Drupal security team can be reached at security at drupal.org or via the form at http://drupal.org/contact.
