By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

SA-CORE-2025-002

Broken Access
Affects
View Bulk Operations module
>= 7.x-3.0
in
Drupal 7
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Views Bulk Operation module, which is a popular contributed module in Drupal 7 ecosystem, allows core Actions to be executed on nodes and other entities.

There is a security flaw (specifically, broken access control), in the Views Bulk Operations (VBO) module described in SA-CORE-2025-002 that affects version 8 of Drupal 8 and later. Although Drupal 7 lacks built-in permissions for Actions, the Drupal 7 version of VBO includes the actions_permissions sub-module that provides similar functionality and thus shares this vulnerability.

In Drupal 7, views requiring the 'administer nodes' permission are secure, as this permission grants access to all Actions without needing further safeguards.

However, views accessible to users without 'administer nodes' that enable bulk actions provide full access to execute available bulk actions exposed by that View.

This vulnerability also impacts modules like Admin Views that depend on VBO for functionality.

This issue affects all versions of Views Bulk Operations in the 7.x branch.

Details

Module Info

Product: Drupal

Affected Modules: Views Bulk Operations

Affected Versions: >=7.x-3.0

Project Page: https://drupal.org/project/views_bulk_operations

Vulnerability Info

This medium-severity vulnerability is found in the Views Bulk Operations contributed module in versions greater than or equal to 7.x-3.0.

Credits

Addressing the Issue

Users of the affected component(s) should address this exploit in one of the following ways:

  • Mandate the use of the ‘administer nodes' permission; this may not provide sufficient protection thus the next action is recommended instead.
  • Enable the Actions Permissions sub-module and enable specific permissions as needed.

Additional Resources

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
SA-CORE-2025-002
PROJECT Affected
View Bulk Operations module
Versions Affected
>= 7.x-3.0
Published date
May 16, 2025
≈ Fix date
May 5, 2025
Fixed in
Drupal 7 NES
Severity
Medium
Category
Broken Access
Sign up for the latest vulnerability alerts fixed in
Drupal 7 NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.