Description

The Views module contains an information disclosure vulnerability due to the fact that it allows access to user profile data. This vulnerability exposes actual user names, so defensive strategies to protect usernams (such as using aliases, or the RealName (http://drupal.org/project/realname) module) cannot protect against this exposure. This method is particularly useful for finding the Drupal super user account (id 1) and other accounts that might not be exposed anywhere on the public facing site.

Remediation

Apply the patch provided in the web reference section.

References

Patch

Related Vulnerabilities

Oracle Database Server CVE-2008-1813 Vulnerability (CVE-2008-1813)

Stack Trace Disclosure (Apache MyFaces)

Envoy Proxy CVE-2024-7207 Vulnerability (CVE-2024-7207)

IBMHttpServer Other Vulnerability (CVE-2006-3918)

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2947)

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Bruteforce Possible Known Vulnerabilities