4.9 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:P/A:P
0.967 High
EPSS
Percentile
99.7%
The Views Bulk Operations module enables you to add bulk operations to administration views, executing actions on multiple selected rows.
The module doesn’t sufficiently guard user entities against unauthorized modification. If a user has access to a user account listing view with VBO enabled (such as admin/people when the administration_views module is used), they will be able to edit their own account and give themselves a higher role (such as “administrator”) even if they don’t have the “‘administer users’” permission.
This vulnerability is mitigated by the fact that an attacker must have access to such a user listing page and that the bulk operation for changing Roles is enabled.
Drupal core is not affected. If you do not use the contributed Views Bulk Operations (VBO) module, there is nothing you need to do.
Install the latest version:
Also see the Views Bulk Operations (VBO) project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/views_bulk_operations
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/klausi
www.drupal.org/user/2650563
www.drupal.org/user/86106
www.drupal.org/writing-secure-code