DRUPAL-CONTRIB-2019-074

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/bat/DRUPAL-CONTRIB-2019-074.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2019-074

Published

2019-10-16T16:09:20Z

Modified

2025-12-10T23:33:29.611074Z

Summary

[none]

Details

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.

The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.

References

https://www.drupal.org/sa-contrib-2019-074

Credits

- Jelle Sebreghts
- - https://www.drupal.org/user/829198

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/bat

Package

Name: drupal/bat
Purl: pkg:composer/drupal/bat

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.0

Database specific

{
    "constraint": "<1.2.0"
}

Database specific

affected_versions

"<1.2.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/bat/DRUPAL-CONTRIB-2019-074.json"