CVE-2015-5515

Severity CVSS v4.0:
Pending analysis
Type:
CWE-264 Permissions, Privileges, and Access Control
Publication date:
18/08/2015
Last modified:
12/04/2025

Description

The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x-3.3 for Drupal, when the bulk operation for changing Roles is enabled, allows remote authenticated users to edit user accounts and add arbitrary roles to the accounts by leveraging access to a user account listing view with VBO enabled.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:6.x-1.17:*:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:6.x-1.x:dev:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.0:*:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.0:alpha1:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.0:alpha2:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.0:alpha3:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.0:beta1:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.0:beta2:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.0:beta3:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.0:rc1:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.1:*:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.2:*:*:*:*:drupal:*:*
cpe:2.3:a:views_bulk_operations_project:views_bulk_operations:7.x-3.x:dev:*:*:*:drupal:*:*