Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074

Project: Booking and Availability Management Tools for Drupal
Date: 2019-October-16
Security risk: Moderately critical 11∕25
Vulnerability: Access Bypass

Description

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.

The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.

Solution

Install the latest version:

If you use the bat module for Drupal 8.x, upgrade to bat 8.x-1.2
Also see the Booking and Availability Management Tools for Drupal project page.

https://www.drupal.org/sa-contrib-2019-074

We value your opinion. Please add your feedback.