DRUPAL-CONTRIB-2025-070

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/bookable_calendar/DRUPAL-CONTRIB-2025-070.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-070

Aliases

CVE-2025-48916

Published

2025-05-28T17:41:20Z

Modified

2025-12-10T23:41:25.166438Z

Summary

[none]

Details

This module enables you to setup a repeating date rule that users can "book" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons.

This module has a permission of "view booking" and "view booking contact" which allows you to view them regardless of whether you own them or not. Due to bad naming of the permissions it's likely admins have configured those to users that shouldn't have them.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view booking" or "view booking contact".

References

https://www.drupal.org/sa-contrib-2025-070

Credits

- Ludo Hartzema (absoludo)
- - https://www.drupal.org/u/absoludo

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/bookable_calendar

Package

Name: drupal/bookable_calendar
Purl: pkg:composer/drupal/bookable_calendar

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.2.13

Database specific

{
    "constraint": "<2.2.13"
}

Database specific

affected_versions

"<2.2.13"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/bookable_calendar/DRUPAL-CONTRIB-2025-070.json"