Date: 
2019-October-16
Vulnerability: 
Access Bypass
Affected versions: 
<1.2.0
Description: 

The Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.

The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.

Solution: 

Install the latest version:

  • If you use the bat module for Drupal 8.x, upgrade to bat 8.x-1.2

Also see the Booking and Availability Management Tools for Drupal project page.

Reported By: 
Fixed By: 
Coordinated By: