5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.004 Low
EPSS
Percentile
73.6%
An access bypass vulnerability exists in the Views module, where users without the “View content count” permission can see the number of hits collected by the Statistics module for results in the view.
This issue is mitigated by the fact that the view must be configured to show a “Content statistics” field, such as “Total views”, “Views today” or “Last visit”.
The same vulnerability exists in the Drupal 8 core Views module SA-CORE-2016-002
Drupal core is not affected. If you do not use the contributed Views module, there is nothing you need to do.
Install the latest version:
Also see the Views project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/node/2749373
www.drupal.org/project/views
www.drupal.org/SA-CORE-2016-002
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/102818
www.drupal.org/user/262198
www.drupal.org/user/266527
www.drupal.org/user/35733
www.drupal.org/user/36762
www.drupal.org/user/551886
www.drupal.org/user/65776
www.drupal.org/user/982724
www.drupal.org/user/99340
www.drupal.org/writing-secure-code
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.004 Low
EPSS
Percentile
73.6%