CVE-2017-6923

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-6923

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-6923.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-6923

Aliases

GHSA-v3f6-f29f-rgvp

Published

2019-01-22T15:29:00Z

Modified

2025-01-14T07:15:18.920634Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.

References

Affected packages

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

35c2f3ca5c935f3d8bde15932a712677c9bbd50f

Last affected

d86c3b65ee89ad7a2b4e53aafcff12a185aa749b

Affected versions

8.*

8.0.0

8.1.0-beta1

8.3.0

8.3.0-alpha1

8.3.0-beta1

8.3.0-rc1

8.3.0-rc2

8.3.1

8.3.2

8.3.3

8.3.4

8.3.5

8.3.6

8.3.7