<div dir="ltr"><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">View online: <a href="https://www.drupal.org/sa-contrib-2024-018" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2024-018</a><br></div></div></div><div class="gmail_quote">
<br>
Project: REST Views [1]<br>
Date: 2024-April-24<br>
Security risk: *Moderately critical* 14∕25<br>
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]<br>
Vulnerability: Information Disclosure<br>
<br>
Affected versions: <3.0.1<br>
Description: <br>
The Rest views module lets site admins create rest exports in views with<br>
additional options for serializing data.<br>
<br>
This module does not accurately check access and may expose paths to<br>
unpublished content.<br>
<br>
This vulnerability is mitigated by the fact that there must be a specific<br>
content structure to expose.<br>
<br>
Paths to unpublished entities (such as nodes) will be exposed if those<br>
entities are referenced from other entities listed in a REST display, and the<br>
reference field on those listed entities is displayed with the "Entity path"<br>
formatter.<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
   * REST Views 8.x-1.x versions are unsupported.<br>
   * REST Views 2.x versions upgrade to Rest Views 3.0.1 [3]<br>
   * REST Views 3.x versions prior to 3.0.1 upgrade to Rest Views 3.0.1 [4]<br>
<br>
Reported By: <br>
   * nicxvan [5]<br>
<br>
Fixed By: <br>
   * nicxvan [6]<br>
<br>
Coordinated By: <br>
   * Benji Fisher [7] of the Drupal Security Team<br>
   * Greg Knaddison [8] of the Drupal Security Team<br>
   * Cathy Theys [9] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/rest_views" rel="noreferrer" target="_blank">https://www.drupal.org/project/rest_views</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/rest_views/releases/3.0.1" rel="noreferrer" target="_blank">https://www.drupal.org/project/rest_views/releases/3.0.1</a><br>
[4] <a href="https://www.drupal.org/project/rest_views/releases/3.0.1" rel="noreferrer" target="_blank">https://www.drupal.org/project/rest_views/releases/3.0.1</a><br>
[5] <a href="https://www.drupal.org/user/531480" rel="noreferrer" target="_blank">https://www.drupal.org/user/531480</a><br>
[6] <a href="https://www.drupal.org/user/531480" rel="noreferrer" target="_blank">https://www.drupal.org/user/531480</a><br>
[7] <a href="https://www.drupal.org/user/683300" rel="noreferrer" target="_blank">https://www.drupal.org/user/683300</a><br>
[8] <a href="https://www.drupal.org/user/36762" rel="noreferrer" target="_blank">https://www.drupal.org/user/36762</a><br>
[9] <a href="https://www.drupal.org/user/258568" rel="noreferrer" target="_blank">https://www.drupal.org/user/258568</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>
</div><div class="gmail_quote"><br></div><div class="gmail_quote"><div>===</div><div>Computer Security Incident Response Team - CSIRT</div><div>Universidade Estadual de Campinas - Unicamp</div><div>Centro de Computacao - CCUEC</div><div>GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div>Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div>