SA-CORE-2025-002

Broken Access
Affects
View Bulk Operations module
in
Drupal 7
No items found.
Versions
>= 7.x-3.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Views Bulk Operations module, which is a popular contributed module in Drupal 7 ecosystem, allows core Actions to be executed on nodes and other entities.

There is a security flaw (specifically, broken access control), in the Views Bulk Operations (VBO) module described in SA-CORE-2025-002 that affects version 8 of Drupal 8 and later. Although Drupal 7 lacks built-in permissions for Actions, the Drupal 7 version of VBO includes the actions_permissions sub-module that provides similar functionality and thus shares this vulnerability.

In Drupal 7, views requiring the 'administer nodes' permission are secure, as this permission grants access to all Actions without needing further safeguards.

However, views accessible to users without 'administer nodes' that enable bulk actions provide full access to execute available bulk actions exposed by that View.

This vulnerability also impacts modules like Admin Views that depend on VBO for functionality.

This issue affects all versions of Views Bulk Operations in the 7.x branch.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability is found in the Views Bulk Operations contributed module in versions greater than or equal to 7.x-3.0.

Steps to Reproduce

  1. Create a vanilla Drupal 7 site.
  2. Install any version of Views Bulk Operations compatible with Drupal 7 (that is, any version in the 7.x-3.x branch).
  3. Enable the following modules: Views, Views UI, Views Bulk Operations. Ensure that the Actions Permissions module is disabled.
  4. Create a view that lists all content using the Fields display format.
  5. Create a content item, such as an article.
  6. Add the “Bulk operations: Content” VBO field in the Fields section and configure a vulnerable Action such as “Make content sticky.”
  7. Create another user without administrator permissions; this user will have the default Authenticated role and thus only the View Published Content permission. Log in as that user.
  8. Visit the new view. Click the checkbox beside the new content item. 
  9. Select “Make content sticky” from the Operations dropdown, click Execute and Ok.
  10. Observe the Action occurred despite the new user not having sufficient permission. [THIS ACTION ACTUALLY CORRECTLY FAILS.]

Addressing the Issue

Users of the affected component(s) should address this exploit in one of the following ways:

  • Mandate the use of the ‘administer nodes' permission; this may not provide sufficient protection thus the next action is recommended instead.
  • Enable the Actions Permissions sub-module and enable specific permissions as needed.

Additional Resources

Credits

Vulnerability Details
ID
SA-CORE-2025-002
PROJECT Affected
View Bulk Operations module
Versions Affected
>= 7.x-3.0
Published date
May 16, 2025
≈ Fix date
May 5, 2025
Fixed in
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Broken Access
Sign up for the latest vulnerability alerts fixed in
Drupal 7 NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.