5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%
‘me aliases’ module provides shortcut paths to current user’s pages, eg user/me, blog/me, user/me/edit, tracker/me etc.
The view user argument handler for the ‘me’ module has an access bypass vulnerability where it does not check the supplied argument against the current user. This allows any user to access the content served by the view by substituting ‘me’ in the URL with a user id even when they don’t have permission to access the content.
These only affects Views which use the Views ‘me’ user argument handler.
Drupal core is not affected. If you do not use the contributed me aliases module, there is nothing you need to do.
Install the latest version:
Also see the me aliases project page.