[Security-news] Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003
security-news at drupal.org
security-news at drupal.org
Wed Feb 5 17:47:18 UTC 2020
View online: https://www.drupal.org/sa-contrib-2020-003
Project: Views Bulk Operations (VBO) [1]
Date: 2020-February-05
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass
Description:
Views Bulk Operations provides enhancements to running bulk actions on views.
The module contains an access bypass vulnerability that might allow users to
execute views actions that they should not have access to.
This vulnerability is mitigated by the fact that it only occurs in the case
of customised action access (by means of hook_action_info_alter).
Solution:
Install the latest version:
* If you use Views Bulk Operations version 3.x for Drupal 8.x, upgrade to
Views Bulk Operations 8.x-3.4 [3]
* If you use Views Bulk Operations version 2.x for Drupal 8.x, upgrade to
Views Bulk Operations 8.x-2.6 [4]
Also see the Views Bulk Operations (VBO) [5] project page.
Reported By:
* Adam Shepherd [6]
Fixed By:
* Adam Shepherd [7]
* Marcin Grabias [8]
Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/views_bulk_operations
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/views_bulk_operations/releases/8.x-3.4
[4] https://www.drupal.org/project/views_bulk_operations/releases/8.x-2.6
[5] https://www.drupal.org/project/views_bulk_operations
[6] https://www.drupal.org/user/2650563
[7] https://www.drupal.org/user/2650563
[8] https://www.drupal.org/user/1599440
[9] https://www.drupal.org/user/36762
More information about the Security-news
mailing list