CVE-2013-1887 - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Views Project	Views
Drupal	Drupal

Configuration 1 [-]

AND

OR	cpe:2.3:a:views_project:views:7.x-3.0:::::::*
	cpe:2.3:a:views_project:views:7.x-3.0:alpha1::::::
	cpe:2.3:a:views_project:views:7.x-3.0:beta1::::::
	cpe:2.3:a:views_project:views:7.x-3.0:beta2::::::
	cpe:2.3:a:views_project:views:7.x-3.0:beta3::::::
	cpe:2.3:a:views_project:views:7.x-3.0:rc1::::::
	cpe:2.3:a:views_project:views:7.x-3.0:rc3::::::
	cpe:2.3:a:views_project:views:7.x-3.1:::::::*
	cpe:2.3:a:views_project:views:7.x-3.2:::::::*
	cpe:2.3:a:views_project:views:7.x-3.3:::::::*
	cpe:2.3:a:views_project:views:7.x-3.4:::::::*
	cpe:2.3:a:views_project:views:7.x-3.5:::::::*
	cpe:2.3:a:views_project:views:7.x-3.x:dev::::::

cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*

References

Link	Resource
http://drupal.org/node/1948354	Patch
http://drupal.org/node/1948358	Patch Vendor Advisory
http://drupalcode.org/project/views.git/commitdiff/ddf8181bd13f69ffbeeee14ae72168418785d7ac
http://packetstormsecurity.com/files/120892/Drupal-Views-7.x-Cross-Site-Scripting.html
http://seclists.org/fulldisclosure/2013/Mar/193
http://secunia.com/advisories/51540	Vendor Advisory
http://www.openwall.com/lists/oss-security/2013/03/22/8
http://www.openwall.com/lists/oss-security/2013/03/25/4
http://www.osvdb.org/91576
http://www.securityfocus.com/bid/58621

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2022-10-03T16:14:47

Updated: 2022-10-03T16:14:47

Reserved: 2022-10-03T00:00:00

Link: CVE-2013-1887

JSON object: View

NVD Information

Status : Analyzed

Published: 2013-03-27T23:55:01.047

Modified: 2013-03-28T04:00:00.000

Link: CVE-2013-1887

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-10-03T16:14:47", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "51540", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51540"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/120892/Drupal-Views-7.x-Cross-Site-Scripting.html"}, {"tags": ["x_refsource_MISC"], "url": "http://drupal.org/node/1948358"}, {"name": "91576", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/91576"}, {"name": "[oss-security] 20130325 Re: CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/03/25/4"}, {"name": "20130320 [Security-news] SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2013/Mar/193"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupalcode.org/project/views.git/commitdiff/ddf8181bd13f69ffbeeee14ae72168418785d7ac"}, {"name": "[oss-security] 20130322 Re: CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/03/22/8"}, {"name": "58621", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/58621"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupal.org/node/1948354"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-1887", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "51540", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/51540"}, {"name": "http://packetstormsecurity.com/files/120892/Drupal-Views-7.x-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/120892/Drupal-Views-7.x-Cross-Site-Scripting.html"}, {"name": "http://drupal.org/node/1948358", "refsource": "MISC", "url": "http://drupal.org/node/1948358"}, {"name": "91576", "refsource": "OSVDB", "url": "http://www.osvdb.org/91576"}, {"name": "[oss-security] 20130325 Re: CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/03/25/4"}, {"name": "20130320 [Security-news] SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2013/Mar/193"}, {"name": "http://drupalcode.org/project/views.git/commitdiff/ddf8181bd13f69ffbeeee14ae72168418785d7ac", "refsource": "CONFIRM", "url": "http://drupalcode.org/project/views.git/commitdiff/ddf8181bd13f69ffbeeee14ae72168418785d7ac"}, {"name": "[oss-security] 20130322 Re: CVE Request -- drupal7-views : SA-CONTRIB-2013-035 - Views - Cross Site Scripting (XSS)", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/03/22/8"}, {"name": "58621", "refsource": "BID", "url": "http://www.securityfocus.com/bid/58621"}, {"name": "http://drupal.org/node/1948354", "refsource": "CONFIRM", "url": "http://drupal.org/node/1948354"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-1887", "datePublished": "2022-10-03T16:14:47", "dateReserved": "2022-10-03T00:00:00", "dateUpdated": "2022-10-03T16:14:47", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:views_project:views:7.x-3.0:*:*:*:*:*:*:*", "matchCriteriaId": "A4DD5CD4-BE1E-4CD0-8154-E71F194EC21C", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "575313F3-ADA8-409F-A46F-DFD851B157E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "66F77966-456C-42A4-ADBB-FA220214FB2F", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "B7B59C40-649C-40DD-A09F-CA3EA51291D8", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "59EED1F0-CF33-4F87-A51E-B30F2C025FBA", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "B409004F-1282-4AB6-8455-CB2095A45C10", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "6FFF9294-F089-4D34-8C35-974132F22B58", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.1:*:*:*:*:*:*:*", "matchCriteriaId": "568E9296-C2AD-4D80-9327-F9A0DCBB5917", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.2:*:*:*:*:*:*:*", "matchCriteriaId": "E087F61C-07A5-4037-A282-A460CBE616E3", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.3:*:*:*:*:*:*:*", "matchCriteriaId": "50EB9D66-120E-426D-B3E9-1EAC8CB14D98", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.4:*:*:*:*:*:*:*", "matchCriteriaId": "FA161F50-6EBD-4B3C-8BE7-AFB13B29A0CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.5:*:*:*:*:*:*:*", "matchCriteriaId": "49A7C3D5-EDFA-4728-B84D-69C864351494", "vulnerable": true}, {"criteria": "cpe:2.3:a:views_project:views:7.x-3.x:dev:*:*:*:*:*:*", "matchCriteriaId": "6E62EF74-120B-4474-9660-22803BF41A6A", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en el modulo Views v7.x-3.x anterior a v7.x-3.6 para Drupal permite a usuarios autenticados remotamente con algunos permisos inyectar secuencias de comandos web o HTML a trav\u00e9s de ciertos campos de la vista de configuraci\u00f3n."}], "id": "CVE-2013-1887", "lastModified": "2013-03-28T04:00:00.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2013-03-27T23:55:01.047", "references": [{"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://drupal.org/node/1948354"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://drupal.org/node/1948358"}, {"source": "secalert@redhat.com", "url": "http://drupalcode.org/project/views.git/commitdiff/ddf8181bd13f69ffbeeee14ae72168418785d7ac"}, {"source": "secalert@redhat.com", "url": "http://packetstormsecurity.com/files/120892/Drupal-Views-7.x-Cross-Site-Scripting.html"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/fulldisclosure/2013/Mar/193"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/51540"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2013/03/22/8"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2013/03/25/4"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/91576"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/58621"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}