Vulnerability Description
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Drupal | Drupal | >= 8.0.0, <= 8.3.7 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/100368Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039200Third Party AdvisoryVDB Entry
- https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/201PatchRelease NotesVendor Advisory
- http://www.securityfocus.com/bid/100368Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039200Third Party AdvisoryVDB Entry
- https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/201PatchRelease NotesVendor Advisory
FAQ
What is CVE-2017-6923?
CVE-2017-6923 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoi...
How severe is CVE-2017-6923?
CVE-2017-6923 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-6923?
Check the references section above for vendor advisories and patch information. Affected products include: Drupal Drupal.