View online: https://www.drupal.org/sa-contrib-2019-034

Project: Views [1] Version: 7.x-3.x-dev Date: 2019-March-13 Security risk: *Moderately critical* 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2] Vulnerability: Information Disclosure

Description:  This module enables you to create customized lists of data.

The module doesn't sufficiently protect against argument definitions failing.

This vulnerability is mitigated by the fact that a view must have custom PHP code used as a field validator.

Solution:  Install the latest version:

* If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21 [3]

Also see the Views [4] project page.

Reported By:  * Fabien Leroux [5]

Fixed By:  * Fabien Leroux [6] * Daniel Wehner [7] * Damien McKenna [8] of the Drupal Security Team * Len Swaneveld [9]

Coordinated By:  * Michael Hess [10] of the Drupal Security Team.

-------- ADDITIONAL INFORMATION ----------------------------------------------

Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

* SA-CONTRIB-2019-034 [11] * SA-CONTRIB-2019-035 [12] * SA-CONTRIB-2019-036 [13]

[1] https://www.drupal.org/project/views [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/views/releases/7.x-3.21 [4] https://www.drupal.org/project/views [5] https://www.drupal.org/user/407852 [6] https://www.drupal.org/user/407852 [7] https://www.drupal.org/user/99340 [8] https://www.drupal.org/user/108450 [9] https://www.drupal.org/user/690914 [10] https://www.drupal.org/u/mlhess [11] https://www.drupal.org/sa-contrib-2019-034 [12] https://www.drupal.org/sa-contrib-2019-035 [13] https://www.drupal.org/sa-contrib-2019-036