D7ES PSA relating to SA-CORE-2025-002 impacting Views Bulk Operations (VBO)
Date
SA-CORE-2025-002 communicates a security issue introduced in Drupal 8+. This functionality in modern Drupal was heavily inspired by Views Bulk Operations, which exposes core Actions to be performed against nodes (and other entities). While it does not have the concept of permissions around Actions like in Drupal 8+, Views Bulk Operations (VBO) provides an actions_permissions sub-module. As a mitigation technique, this sub-module should be enabled and configured on Views that expose bulk operations.