Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

Project: Views Bulk Operations (VBO)
Date: 2020-February-05
Security risk: Moderately critical 12∕25
Vulnerability: Access bypass

Description

Views Bulk Operations provides enhancements to running bulk actions on views.

The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to.

This vulnerability is mitigated by the fact that it only occurs in the case of customised action access (by means of hook_action_info_alter).

Solution

Install the latest version:

If you use Views Bulk Operations version 3.x for Drupal 8.x, upgrade to Views Bulk Operations 8.x-3.4
If you use Views Bulk Operations version 2.x for Drupal 8.x, upgrade to Views Bulk Operations 8.x-2.6
Also see the Views Bulk Operations (VBO) project page.

Alex Shaposhnik's picture
Alex Shaposhnik
Technical Support Specialist
I provide technical assistance to our customers with all kinds of technical, hardware or software problems by modifying, installing, cleaning and repairing server-side software and customers' web applications and communicating to them the detailed answers and troubleshooting steps performed.

We value your opinion. Please add your feedback.