REST Views – Moderately critical – Information Disclosure – SA-CONTRIB-2024-018

Drupal Security Advisory

Project: 
Date: 
2024-April-24
Vulnerability: 
Information Disclosure
Affected versions: 
<3.0.1
Description: 

The Rest views module lets site admins create rest exports in views with additional options for serializing data.

This module does not accurately check access and may expose paths to unpublished content.

This vulnerability is mitigated by the fact that there must be a specific content structure to expose.

Paths to unpublished entities (such as nodes) will be exposed if those entities are referenced from other entities listed in a REST display, and the reference field on those listed entities is displayed with the “Entity path” formatter.

Solution: 

Install the latest version:

  • REST Views 8.x-1.x versions are unsupported.
  • REST Views 2.x versions upgrade to Rest Views 3.0.1
  • REST Views 3.x versions prior to 3.0.1 upgrade to Rest Views 3.0.1
Reported By: 
Fixed By: 
Coordinated By: 

READ MORE