[IT-SecNots] [Security-news] Bookable Calendar - Less critical - Access bypass - SA-CONTRIB-2025-070

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-070

Project: Bookable Calendar [1]
Date: 2025-May-28
Security risk: *Less critical* 9 ∕ 25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Affected versions: <2.2.13
CVE IDs: CVE-2025-48916
Description: 
This module enables you to setup a repeating date rule that users can "book"
different dates, allowing you to let users register for a variety of
different things like conference rooms or guitar lessons.

This module has a permission of "view booking" and "view booking contact"
which allows you to view them regardless of whether you own them or not. Due
to bad naming of the permissions it's likely admins have configured those to
users that shouldn't have them.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "view booking" or "view booking contact".

Solution: 
Install the latest version:

 * If you use the Bookable Calendar module for Drupal 8.x, upgrade to
   Bookable Calendar 2.2.13 [3]

.. Manual Steps to patch issue

This fix requires a View update to resolve the issue. The full view config
can be found in: config/install/views.view.booking_contant.yml. If you
haven't customised this view yourself, you can just re-import the view
config, either through the Config Sync UI or through drush like this: drush
cim --partial --source=modules/contrib/bookable_calendar/config/install. The
Drush config import will import all View changes to the whole module, not
just this one view.

If you want to manually update the view through the Views UI, go to
admin/structure/views/view/booking_contact and edit both the User Bookings
and Past Bookings display on the view. The only change required is in the
Contextual Filter, add a Validation Criteria under the section (when the
filter is in the URL or a default is provided) and set the Action to "Display
'Access Denied'".

Reported By: 
 * Ludo Hartzema (absoludo) [4]

Fixed By: 
 * Ludo Hartzema (absoludo) [5]
 * Josh Fabean (josh.fabean) [6]

Coordinated By: 
 * Bram Driesen (bramdriesen) [7]
 * Greg Knaddison (greggles) [8] of the Drupal Security Team
 * Juraj Nemec (poker10) [9] of the Drupal Security Team
 * Cathy Theys (yesct) [10] of the Drupal Security Team


[1] https://www.drupal.org/project/bookable_calendar
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/bookable_calendar/releases/2.2.13
[4] https://www.drupal.org/u/absoludo
[5] https://www.drupal.org/u/absoludo
[6] https://www.drupal.org/u/joshfabean
[7] https://www.drupal.org/u/bramdriesen
[8] https://www.drupal.org/u/greggles
[9] https://www.drupal.org/u/poker10
[10] https://www.drupal.org/u/yesct

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news