Overview
Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications. The Views Bulk Operations module, which is a popular contributed module in Drupal 7 ecosystem, allows core Actions to be executed on nodes and other entities.
There is a security flaw (specifically, broken access control), in the Views Bulk Operations (VBO) module described in SA-CORE-2025-002 that affects version 8 of Drupal 8 and later. Although Drupal 7 lacks built-in permissions for Actions, the Drupal 7 version of VBO includes the actions_permissions sub-module that provides similar functionality and thus shares this vulnerability.
In Drupal 7, views requiring the 'administer nodes' permission are secure, as this permission grants access to all Actions without needing further safeguards.
However, views accessible to users without 'administer nodes' that enable bulk actions provide full access to execute available bulk actions exposed by that View.
This vulnerability also impacts modules like Admin Views that depend on VBO for functionality.
This issue affects all versions of Views Bulk Operations in the 7.x branch.
Details
Module Info
- Product: Drupal
- Affected Modules: Views Bulk Operations
- Affected Versions: >=7.x-3.0
- Project Page: https://drupal.org/project/views_bulk_operations
Vulnerability Info
This medium-severity vulnerability is found in the Views Bulk Operations contributed module in versions greater than or equal to 7.x-3.0.
Steps to Reproduce
- Create a vanilla Drupal 7 site.
- Install any version of Views Bulk Operations compatible with Drupal 7 (that is, any version in the 7.x-3.x branch).
- Enable the following modules: Views, Views UI, Views Bulk Operations. Ensure that the Actions Permissions module is disabled.
- Create a view that lists all content using the Fields display format.
- Create a content item, such as an article.
- Add the “Bulk operations: Content” VBO field in the Fields section and configure a vulnerable Action such as “Make content sticky.”
- Create another user without administrator permissions; this user will have the default Authenticated role and thus only the View Published Content permission. Log in as that user.
- Visit the new view. Click the checkbox beside the new content item.
- Select “Make content sticky” from the Operations dropdown, click Execute and Ok.
- Observe the Action occurred despite the new user not having sufficient permission. [THIS ACTION ACTUALLY CORRECTLY FAILS.]
Addressing the Issue
Users of the affected component(s) should address this exploit in one of the following ways:
- Mandate the use of the ‘administer nodes' permission; this may not provide sufficient protection thus the next action is recommended instead.
- Enable the Actions Permissions sub-module and enable specific permissions as needed.
Additional Resources
- SA-CORE-2025-002 for Drupal 8+
https://www.drupal.org/sa-core-2025-002
Credits
- Jeff Cardwell (jeff-cardwell)