it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097
- Date: Wed, 13 Aug 2025 17:33:36 +0000 (UTC)
- Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=JAL+mJN+; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 4E6A983EFD
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 689D783BED
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2025-097
Project: Layout Builder Advanced Permissions [1]
Date: 2025-August-13
Security risk: *Moderately critical* 10 ∕ 25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Affected versions: 2.2.0
CVE IDs: CVE-2025-8996
Description:
The Layout Builder Advanced Permissions module enables you to have fine
grained control over who can do what in editing pages built with Layout
Builder.
The module doesn't sufficiently control access for adding sections in the
submodule.
This vulnerability is mitigated by the fact that an attacker must have a role
with a specific set of permissions:
* Node: View published content
* Node: (Your content type): Create new content
* Node: (Your content type): Edit any content
* Layout builder: (Your content type): Configure layout overrides for
content items that the user can edit
* Layout builder advanced permissions: Access Layout Builder page
Solution:
Install the latest version:
* If you use the Layout Builder Advanced Permissions module, upgrade to
Layout Builder Advanced Permissions 2.2.1 [3]
Reported By:
* Eelke Blok (eelkeblok) [4]
* Michael Whittaker (mrwhittaker) [5]
Fixed By:
* Eelke Blok (eelkeblok) [6]
* Sorin Dediu (sdstyles) [7]
* Sean Blommaert (seanb) [8]
Coordinated By:
* Anna Kalata (akalata) [9]
* Damien McKenna (damienmckenna) [10] of the Drupal Security Team
* Greg Knaddison (greggles) [11] of the Drupal Security Team
* Juraj Nemec (poker10) [12] of the Drupal Security Team
* Cathy Theys (yesct) [13] of the Drupal Security Team
[1] https://www.drupal.org/project/layout_builder_perms
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/layout_builder_perms/releases/2.2.1
[4] https://www.drupal.org/u/eelkeblok
[5] https://www.drupal.org/u/mrwhittaker
[6] https://www.drupal.org/u/eelkeblok
[7] https://www.drupal.org/u/sdstyles
[8] https://www.drupal.org/u/seanb
[9] https://www.drupal.org/u/akalata
[10] https://www.drupal.org/u/damienmckenna
[11] https://www.drupal.org/u/greggles
[12] https://www.drupal.org/u/poker10
[13] https://www.drupal.org/u/yesct
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097, security-news, 13.08.2025
Archiv bereitgestellt durch MHonArc 2.6.19+.