Vulnerabilities > CVE-2019-19826 - Deserialization of Untrusted Data vulnerability in Drupal Views Dynamic Field

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

drupal

CWE-502

critical

NVD

Published: 2019-12-16

Updated: 2019-12-27

Summary

The Views Dynamic Fields module through 7.x-1.0-alpha4 for Drupal makes insecure unserialize calls in handlers/views_handler_filter_dynamic_fields.inc, as demonstrated by PHP object injection, involving a field_names object and an Archive_Tar object, for file deletion. Code execution might also be possible.

Vulnerable Configurations

Part	Description	Count
Application	Drupal Drupal Views Dynamic Field 7.X-1.0 Drupal Views Dynamic Field 6.X-1.0 Drupal Views Dynamic Field 6.X-1.1 Drupal Views Dynamic Field 6.X-1.2 Drupal Views Dynamic Field 6.X-1.3 Drupal Views Dynamic Field 6.X-1.4	11

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://www.drupal.org/project/views_dynamic_fields/issues/3056600