Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074
Project: Booking and Availability Management Tools for Drupal Date: 2019-October-16 Security risk: Moderately critical 11∕25 Vulnerability: Access Bypass
The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.
The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.
Install the latest version:
If you use the bat module for Drupal 8.x, upgrade to bat 8.x-1.2
Also see the Booking and Availability Management Tools for Drupal project page.