This issue was discussed by the Drupal Security Team, and their decision was that this can be solved in a public issue.
The Views Bulk Operations module allows changing a user's roles. It checks permission via the entity metadata wrapper functionality provided by the Entity API module.
VBO only successfully performed this check as of version 7.x-3.3 (see SA-CONTRIB-2015-131 and the commit here).
We (@Kazanir and I) have noticed a further vulnerability, which is that the Entity API module does not itself sufficiently validate permission to change a user's roles. It returns TRUE if you have the administer users permission. For the roles property, Entity API should actually be checking for the administer permissions permission.
A patch was provided by @pjcdawkins to demonstrate a possible fix.
@berdir notes that there is a similar public issue reported for core: https://www.drupal.org/node/2846365 β
Active
1.0
Code - misc
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.