it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036
- Date: Wed, 4 Sep 2024 16:40:58 +0000 (UTC)
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 0DAC4406C8
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 0BB84802CD
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2024-036
Project: Paragraphs table [1]
Date: 2024-September-04
Security risk: *Critical* 15∕25
AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass, Information Disclosure
Affected versions: <1.23.0 || >=2.0.0 <2.0.2
Description:
This module enables field collections to be displayed as tables. It supports
display suite and field permissions and provides operations (modify, delete,
duplicate).
This module has multiple vulnerabilities due to the requirements on the
routes it provides not being restrictive enough.
-------- INFORMATION DISCLOSURE
----------------------------------------------
Several routes /only/ checked for the 'access content' permission before
displaying a paragraph, and did not check whether the user should actually
have access to view the paragraph in question.
-------- ACCESS BYPASS
-------------------------------------------------------
The paragraphs_item.add_page route previously allowed anyone with the 'access
content' permission to add paragraphs to any content regardless of
permissions to be able to edit the host field or content, or any other hooks
for adjusting access to add paragraphs of that type.
These vulnerabilities are mitigated by the fact that an attacker must have a
role with the permission "access content" which is commonly assigned to all
roles.
Solution:
Install the latest version:
* If you use the paragraphs_table module 8.x-1.x, upgrade to
paragraphs_table 8.x-1.23 [3]
* If you use the paragraphs_table module 2.0.x, upgrade to paragraphs_table
2.0.2 [4] or newer
Reported By:
* James Williams [5]
Fixed By:
* James Williams [6]
* NGUYEN Bao [7]
* Steven Jones [8]
* Joseph Olstad [9]
Coordinated By:
* Greg Knaddison [10] of the Drupal Security Team
* Jess [11] of the Drupal Security Team
* Juraj Nemec [12] of the Drupal Security Team
[1] https://www.drupal.org/project/paragraphs_table
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/paragraphs_table/releases/8.x-1.23
[4] https://www.drupal.org/project/paragraphs_table/releases/2.0.2
[5] https://www.drupal.org/user/592268
[6] https://www.drupal.org/user/592268
[7] https://www.drupal.org/user/2896581
[8] https://www.drupal.org/user/99644
[9] https://www.drupal.org/user/1321830
[10] https://www.drupal.org/u/greggles
[11] https://www.drupal.org/u/xjm
[12] https://www.drupal.org/u/poker10
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036, security-news, 04.09.2024
Archiv bereitgestellt durch MHonArc 2.6.19+.