Miggo Logo

CVE-2016-6212: Drupal Views can allow unauthorized users to see Statistics information

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.66545%
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
drupal/corecomposer>= 8.0, < 8.1.38.1.3
drupal/drupalcomposer>= 8.0, < 8.1.38.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing access controls in Views integration with Statistics module data. The CWE-200 classification and advisory details indicate sensitive statistics data was exposed through Views displays. In Drupal's architecture: 1) Field handlers require explicit access checks 2) The Statistics module's Views integration would handle node view counts 3) The patched versions (8.1.3/7.x-3.14) likely added permission checks in these methods. The combination of field handler methods (access() for permissions and query() for data inclusion) matches the vulnerability pattern of missing authorization checks when exposing sensitive data through Views.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Vi*ws mo*ul* *.x-*.x ***or* *.x-*.** in *rup*l *.x *n* t** Vi*ws mo*ul* in *rup*l *.x ***or* *.*.* mi**t *llow r*mot* *ut**nti**t** us*rs to *yp*ss int*n*** ****ss r*stri*tions *n* o*t*in s*nsitiv* St*tisti*s in*orm*tion vi* unsp**i*i** v**tors.

Reasoning

T** vuln*r**ility st*ms *rom missin* ****ss *ontrols in Vi*ws int**r*tion wit* St*tisti*s mo*ul* **t*. T** *W*-*** *l*ssi*i**tion *n* **visory **t*ils in*i**t* s*nsitiv* st*tisti*s **t* w*s *xpos** t*rou** Vi*ws *ispl*ys. In *rup*l's *r**it**tur*: *)