CVE-2019-19826

Name of the Vulnerable Software and Affected Versions Drupal Views Dynamic Fields module versions prior to 7.x-1.0-alpha4

Description The issue is related to insufficient deserialization mechanisms in the handlers/views handler filter dynamic fields.inc component of the Views Dynamic Fields module for the Drupal CMS. This can be exploited by a remote attacker to potentially execute arbitrary code. The vulnerability involves insecure unserialize calls, which can lead to PHP object injection. This might allow for file deletion and possibly code execution, involving objects such as field names and Archive Tar.

Recommendations For versions prior to 7.x-1.0-alpha4, update to a version that includes a fix for the insecure deserialization issue in the handlers/views handler filter dynamic fields.inc component. As a temporary workaround, consider restricting access to the handlers/views handler filter dynamic fields.inc file to minimize the risk of exploitation. Avoid using the field names object and the Archive Tar object in the affected module until the issue is resolved.