CVE-2016-6212: Drupal Views can allow unauthorized users to see Statistics information
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.66545%
CWE
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
drupal/core | composer | >= 8.0, < 8.1.3 | 8.1.3 |
drupal/drupal | composer | >= 8.0, < 8.1.3 | 8.1.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing access controls in Views integration with Statistics module data. The CWE-200 classification and advisory details indicate sensitive statistics data was exposed through Views displays. In Drupal's architecture: 1) Field handlers require explicit access checks 2) The Statistics module's Views integration would handle node view counts 3) The patched versions (8.1.3
/7.x-3.14
) likely added permission checks in these methods. The combination of field handler methods (access()
for permissions and query()
for data inclusion) matches the vulnerability pattern of missing authorization checks when exposing sensitive data through Views.