====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN070
_____________________________________________________________________

DATE                : 06/02/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Drupal Views Bulk Operations
                        versions prior to 8.x-3.4, 8.x-2.6.

=====================================================================
https://www.drupal.org/sa-contrib-2020-003
_____________________________________________________________________

Views Bulk Operations (VBO) - Moderately critical - Access bypass -
SA-CONTRIB-2020-003

Project:         Views Bulk Operations (VBO)
Date:            2020-February-05
Security risk:
Moderately critical 12/25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Uncommon
Vulnerability:   Access bypass


Description:

Views Bulk Operations provides enhancements to running bulk actions on
views.

The module contains an access bypass vulnerability that might allow
users to execute views actions that they should not have access to.

This vulnerability is mitigated by the fact that it only occurs in the
case of customised action access (by means of hook_action_info_alter).


Solution:

Install the latest version:

  * If you use Views Bulk Operations version 3.x for Drupal 8.x, upgrade
to Views Bulk Operations 8.x-3.4
  * If you use Views Bulk Operations version 2.x for Drupal 8.x, upgrade
to Views Bulk Operations 8.x-2.6

Also see the Views Bulk Operations (VBO) project page.


Reported By:

  * Adam Shepherd


Fixed By:

  * Adam Shepherd
  * Marcin Grabias


Coordinated By:

  * Greg Knaddison of the Drupal Security Team


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================