Drupal Security TeamDRUPAL-SA-CONTRIB-2015-122Administration Views - Moderately Critical - Access Bypass - SA-CONTRIB-2015-122
6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
70.4%
This module replaces administrative overview/listing pages with Views for improved usability.
When combined with other contributed or custom modules, the Administration Views module improperly grants users access to administration pages including the permissions page.
This vulnerability is mitigated by the fact that it does not appear in the module itself, but only when combined with select other custom or contributed modules.
CVE identifier(s) issued
- CVE-2015-5509
Versions affected
- Administration Views 7.x-1.x versions prior to 7.x-1.4.
Drupal core is not affected. If you do not use the contributed Administration Views module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Administration Views module for Drupal 7.x, upgrade to Administration Views 7.x-1.4
Also see the Administration Views project page.
Reported by
Fixed by
Coordinated by
- Pere Orga of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/admin_views
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/rob230
www.drupal.org/user/202648
www.drupal.org/user/2301194
www.drupal.org/user/36762
www.drupal.org/writing-secure-code
Related
6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
70.4%