Views - Less critical - Cross site scripting - SA-CONTRIB-2019-036

Project: ViewsVersion: 7.x-3.x-devDate: 2019-March-13Security risk: Less critical 7∕25 AC:Complex/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Cross site scriptingDescription: This module enables you to create customized lists of data.
The module doesn't sufficiently sanitize certain field types, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that a view must display a field with the format "Full data (serialized)" and an attacker must have the ability to store malicious markup in that field.Solution: Install the latest version:

  • If you use the Views module for Drupal 7.x, upgrade to Views 7.x-3.21

Also see the Views project page.Reported By: 

Fixed By: 

Coordinated By: 

Additional information
Note: Drupal issues individual security advisories for separate vulnerabilities included in a release, rather than lumping "multiple vulnerabilities" into a single advisory. All advisories released today for Views:

Path to article