Bookable Calendar - Less critical - Access bypass - SA-CONTRIB-2025-070

Wed, 2025-05-28 10:41 — Anonymous (not verified)

Project: Bookable CalendarDate: 2025-May-28Security risk: Less critical 9 ∕ 25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassAffected versions: <2.2.13CVE IDs: CVE-2025-48916Description: This module enables you to setup a repeating date rule that users can "book" different dates, allowing you to let users register for a variety of different things like conference rooms or guitar lessons.
This module has a permission of "view booking" and "view booking contact" which allows you to view them regardless of whether you own them or not. Due to bad naming of the permissions it's likely admins have configured those to users that shouldn't have them.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "view booking" or "view booking contact".Solution: Install the latest version:

Manual Steps to patch issue
This fix requires a View update to resolve the issue. The full view config can be found in: config/install/views.view.booking_contant.yml. If you haven't customised this view yourself, you can just re-import the view config, either through the Config Sync UI or through drush like this: drush cim --partial --source=modules/contrib/bookable_calendar/config/install. The Drush config import will import all View changes to the whole module, not just this one view.
If you want to manually update the view through the Views UI, go to admin/structure/views/view/booking_contact and edit both the User Bookings and Past Bookings display on the view. The only change required is in the Contextual Filter, add a Validation Criteria under the section (when the filter is in the URL or a default is provided) and set the Action to "Display 'Access Denied'".Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2025-070