drupal-views: cross site scripting
| Package(s): | drupal-views |
CVE #(s): | |
| Created: | June 16, 2009 |
Updated: | June 17, 2009 |
| Description: |
From the Fedora advisory: The Views module provides a flexible method for
Drupal site designers to control how lists of content are presented. In
the Views UI administrative interface when configuring exposed filters,
user input presented as possible exposed filters is not correctly
filtered, potentially allowing malicious users to insert arbitrary HTML
and script code into these pages. In addition, content entered by users
with 'administer views' permission into the View name when defining custom
views is subsequently displayed without being filtered. Such cross site
scripting (XSS) attacks may lead to a malicious user gaining full
administrative access. An access bypass may exist where unpublished
content owned by the anonymous user (e.g. content created by a user whose
account was later deleted) is visible to any anonymous user there is a
view already configured to show it incorrectly. An additional access
bypass may occur because Views may generate queries which disrespect node
access control. Users may be able to access private content if they have
permission to see the resulting View. |
| Alerts: |
|
