Access bypass in Drupal 8 views

Vulnerability

In Drupal 8.x versions prior to 8.3.7, the Views subsystem/module did not restrict access to its Ajax endpoint to only views configured to use Ajax. When creating a view with Ajax enabled, filter parameters are used to update displayed data. However, the endpoint is accessible even for views not intended to use Ajax, bypassing intended access controls. This issue affects all Drupal 8.x versions before 8.3.7 and is mitigated only if the view has explicit access restrictions [1][2].

Exploitation

An attacker can send a crafted request to the Ajax endpoint of a view that does not have its own access restrictions. The attacker does not need a privileged account if the view is publicly accessible. By manipulating filter parameters, the attacker can trigger the view to return data that would otherwise be restricted, effectively bypassing any missing access checks on the view itself [1][2].

Impact

Successful exploitation allows an attacker to retrieve sensitive information that the view was intended to hide, leading to unauthorized information disclosure. The access bypass does not grant code execution or privilege escalation, but it compromises confidentiality by exposing data that should be protected [1][2].

Mitigation

Drupal 8 core version 8.3.7, released on 2017-Aug-16, fixes this vulnerability by ensuring that the Ajax endpoint is only available for views configured to use it and that are accessible to the user [2][3]. As a workaround, site administrators should always include some form of access restrictions on all views, even if using another module to display them [1][2]. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.