Drupal Views Module Open Redirection Weakness and Information Disclosure Security Issue
Description
A weakness and a security issue have been reported in the Views module for Drupal, which can be exploited by malicious people to conduct spoofing attacks and disclose potentially sensitive information.
1) Certain input related to the page to break the lock on Views being edited is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
Successful exploitation requires Views UI submodule to be enabled.
2) The application does not properly restrict access to the Views configurations, which can be exploited to disclose certain configuration settings.
Successful exploitation of this security issue requires "access content" and "access comment" permissions not being configured for unprivileged users and default views configuration to be enabled (disabled by default).
The weakness and security issue are reported in versions 6.x-2.x prior to 6.x-2.18, 6.x-3.x prior to 6.x-3.2, and 7.x-3.x prior to 7.x-3.10.
Update to version 6.x-2.18, 6.x-3.2, or 7.x-3.10.Version 6.x-2.18:https://www.drupal.org/node/2424101Version 6.x-3.2:https://www.drupal.org/node/2424097Version 7.x-3.10:https://www.drupal.org/node/2424103
