Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003
  • Date: Wed, 5 Feb 2020 17:47:18 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2020-003

Project: Views Bulk Operations (VBO) [1]
Date: 2020-February-05
Security risk: *Moderately critical* 12∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
Views Bulk Operations provides enhancements to running bulk actions on views.

The module contains an access bypass vulnerability that might allow users to
execute views actions that they should not have access to.

This vulnerability is mitigated by the fact that it only occurs in the case
of customised action access (by means of hook_action_info_alter).

Solution: 
Install the latest version:

* If you use Views Bulk Operations version 3.x for Drupal 8.x, upgrade to
Views Bulk Operations 8.x-3.4 [3]
* If you use Views Bulk Operations version 2.x for Drupal 8.x, upgrade to
Views Bulk Operations 8.x-2.6 [4]

Also see the Views Bulk Operations (VBO) [5] project page.

Reported By: 
* Adam Shepherd [6]

Fixed By: 
* Adam Shepherd [7]
* Marcin Grabias [8]

Coordinated By: 
* Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/views_bulk_operations
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/views_bulk_operations/releases/8.x-3.4
[4] https://www.drupal.org/project/views_bulk_operations/releases/8.x-2.6
[5] https://www.drupal.org/project/views_bulk_operations
[6] https://www.drupal.org/user/2650563
[7] https://www.drupal.org/user/2650563
[8] https://www.drupal.org/user/1599440
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003, security-news, 05.02.2020

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang