
<div dir="ltr"><div>View online: <a href="https://www.drupal.org/sa-core-2025-002" rel="noreferrer" target="_blank">https://www.drupal.org/sa-core-2025-002</a><br>

<br>

Project: Drupal core [1]<br>

Date: 2025-February-19<br>

Security risk: *Moderately critical* 13 ∕ 25<br>

AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]<br>

Vulnerability: Access bypass<br>

<br>

Affected versions: >= 8.0.0 < 10.3.13 || >= 10.4.0 < 10.4.3 || >= 11.0.0 <<br>

11.0.12 || >= 11.1.0 < 11.1.3<br>

Description: <br>

Bulk operations allow authorized users to modify several nodes at once from<br>

the Content page (/admin/content). A site builder can also add bulk<br>

operations to other pages using Views.<br>

<br>

A bug in the core Actions system allows some users to modify some fields<br>

using bulk actions that they do not have permission to modify on individual<br>

nodes.<br>

<br>

This vulnerability is mitigated by the fact that an attacker must have<br>

permission to access /admin/content or other, custom views and to edit nodes.<br>

<br>

In particular, the bulk operations<br>

<br>

  * Make content sticky<br>

  * Make content unsticky<br>

  * Promote content to front page<br>

  * Publish content<br>

  * Remove content from front page<br>

  * Unpublish content<br>

<br>

now require the "Administer content" permission.<br>

<br>

Solution: <br>

Install the latest version:<br>

<br>

  * If you are using Drupal 10.3, update to Drupal 10.3.13 [3].<br>

  * If you are using Drupal 10.4, update to Drupal 10.4.3 [4].<br>

  * If you are using Drupal 11.0, update to Drupal 11.0.12 [5].<br>

  * If you are using Drupal 11.1, update to Drupal 11.1.3 [6].<br>

<br>

All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive<br>

security coverage. (Drupal 8 [7] and Drupal 9 [8] have both reached<br>

end-of-life.)<br>

<br>

Reported By: <br>

  * jeff cardwell [9]<br>

<br>

Fixed By: <br>

  * Benji Fisher (benjifisher) [10] of the Drupal Security Team<br>

  * jeff cardwell [11]<br>

  * Mingsong  (mingsong) [12] Provisional Member of the Drupal Security Team<br>

  * Juraj Nemec (poker10) [13] of the Drupal Security Team<br>

<br>

<br>

[1] <a href="https://www.drupal.org/project/drupal" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal</a><br>

[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>

[3] <a href="https://www.drupal.org/project/drupal/releases/10.3.13" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/10.3.13</a><br>

[4] <a href="https://www.drupal.org/project/drupal/releases/10.4.3" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/10.4.3</a><br>

[5] <a href="https://www.drupal.org/project/drupal/releases/11.0.12" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/11.0.12</a><br>

[6] <a href="https://www.drupal.org/project/drupal/releases/11.1.3" rel="noreferrer" target="_blank">https://www.drupal.org/project/drupal/releases/11.1.3</a><br>

[7] <a href="https://www.drupal.org/psa-2021-06-29" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2021-06-29</a><br>

[8] <a href="https://www.drupal.org/psa-2023-11-01" rel="noreferrer" target="_blank">https://www.drupal.org/psa-2023-11-01</a><br>

[9] <a href="https://www.drupal.org/u/jeff-cardwell" rel="noreferrer" target="_blank">https://www.drupal.org/u/jeff-cardwell</a><br>

[10] <a href="https://www.drupal.org/u/benjifisher" rel="noreferrer" target="_blank">https://www.drupal.org/u/benjifisher</a><br>

[11] <a href="https://www.drupal.org/u/jeff-cardwell" rel="noreferrer" target="_blank">https://www.drupal.org/u/jeff-cardwell</a><br>

[12] <a href="https://www.drupal.org/u/mingsong" rel="noreferrer" target="_blank">https://www.drupal.org/u/mingsong</a><br>

[13] <a href="https://www.drupal.org/u/poker10" rel="noreferrer" target="_blank">https://www.drupal.org/u/poker10</a><br>

<br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="color:rgb(34,34,34)">Computer Security Incident Response Team - CSIRT</div><div style="color:rgb(34,34,34)">Diretoria Executiva de Tecnologia da Informação e Comunicação - DETIC</div><div style="color:rgb(34,34,34)">Universidade Estadual de Campinas - Unicamp</div><div style="color:rgb(34,34,34)">GnuPG Public Key: <a href="http://www.security.unicamp.br/security.asc" style="color:rgb(17,85,204)" target="_blank">http://www.security.unicamp.br/security.asc</a> [^]</div><div style="color:rgb(34,34,34)">Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830</div></div></div></div></div>