View online: https://www.drupal.org/sa-contrib-2025-033

Project: Panels [1] Date: 2025-April-09 Security risk: *Critical* 16 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Access bypass

Affected versions: <4.9.0 CVE IDs: CVE-2025-3474 Description:  Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages.

The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the variant and underlying page, which is not available within the source code of a page. Additionally, only simple blocks can be added or edited, as a more complex block will trigger an error due to missing permissions.

Solution:  Install the latest version:

* If you use the Panels module for Drupal 8.x, upgrade to Panels 8.x-4.9 [3]

Reported By:  * Manuel Adán (manuel.adan) [4]

Fixed By:  * Jakob P (japerry) [5] * Manuel Adán (manuel.adan) [6]

Coordinated By:  * Greg Knaddison (greggles) [7] of the Drupal Security Team

[1] https://www.drupal.org/project/panels [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/panels/releases/8.x-4.9 [4] https://www.drupal.org/u/manueladan [5] https://www.drupal.org/u/japerry [6] https://www.drupal.org/u/manueladan [7] https://www.drupal.org/u/greggles