[Security-news] Panels - Critical - Access bypass - SA-CONTRIB-2025-033
security-news at drupal.org
security-news at drupal.org
Wed Apr 9 17:04:57 UTC 2025
View online: https://www.drupal.org/sa-contrib-2025-033
Project: Panels [1]
Date: 2025-April-09
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Affected versions: <4.9.0
CVE IDs: CVE-2025-3474
Description:
Panels enables administrators to add page variants within page manager,
panelizer, etc to create custom pages.
The module doesn't sufficiently protect sensitive routes, allowing an
attacker to view and modify blocks within variants without requiring
appropriate permission.
This vulnerability is mitigated by the fact that an attacker must know the
machine name of the variant and underlying page, which is not available
within the source code of a page. Additionally, only simple blocks can be
added or edited, as a more complex block will trigger an error due to missing
permissions.
Solution:
Install the latest version:
* If you use the Panels module for Drupal 8.x, upgrade to Panels 8.x-4.9 [3]
Reported By:
* Manuel Adán (manuel.adan) [4]
Fixed By:
* Jakob P (japerry) [5]
* Manuel Adán (manuel.adan) [6]
Coordinated By:
* Greg Knaddison (greggles) [7] of the Drupal Security Team
[1] https://www.drupal.org/project/panels
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/panels/releases/8.x-4.9
[4] https://www.drupal.org/u/manueladan
[5] https://www.drupal.org/u/japerry
[6] https://www.drupal.org/u/manueladan
[7] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list