Description
The Views Reference Filter module provides AJAX functionality for updating dependent entity reference filters in Views exposed forms. However, the module's update callback function was configured with an open access callback (`'access callback' => TRUE`), which meant that any user, including anonymous visitors, could access this functionality without authentication or authorization checks.
The vulnerable endpoint could be accessed by anyone, potentially allowing unauthorized triggering of filter update operations. While this doesn't directly expose sensitive data or provide privilege escalation, it could lead to unnecessary server load and potential manipulation of form filtering behavior that should be restricted to authenticated users with appropriate view access permissions.
This vulnerability was mitigated by implementing proper access control that validates:
1. The requested view exists and is valid
2. The specified display exists on the view
3. The current user has access to the view according to the view's access control settings
Solution
Install the latest version.
If you use the Views Reference Filter module for Drupal 7, upgrade to Views Reference Filter 7.x-1.8:
Reported by
Fixed by
- Tag1 D7ES