[IT-SecNots] [Security-news] Panels - Critical - Access bypass - SA-CONTRIB-2025-033

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2025-033

Project: Panels [1]
Date: 2025-April-09
Security risk: *Critical* 16 ∕ 25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Access bypass

Affected versions: <4.9.0
CVE IDs: CVE-2025-3474
Description: 
Panels enables administrators to add page variants within page manager,
panelizer, etc to create custom pages.

The module doesn't sufficiently protect sensitive routes, allowing an
attacker to view and modify blocks within variants without requiring
appropriate permission.

This vulnerability is mitigated by the fact that an attacker must know the
machine name of the variant and underlying page, which is not available
within the source code of a page. Additionally, only simple blocks can be
added or edited, as a more complex block will trigger an error due to missing
permissions.

Solution: 
Install the latest version:

 * If you use the Panels module for Drupal 8.x, upgrade to Panels 8.x-4.9 [3]

Reported By: 
 * Manuel Adán (manuel.adan) [4]

Fixed By: 
 * Jakob P (japerry) [5]
 * Manuel Adán (manuel.adan) [6]

Coordinated By: 
 * Greg Knaddison (greggles) [7] of the Drupal Security Team


[1] https://www.drupal.org/project/panels
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/panels/releases/8.x-4.9
[4] https://www.drupal.org/u/manueladan
[5] https://www.drupal.org/u/japerry
[6] https://www.drupal.org/u/manueladan
[7] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news