Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046

Project:

Block permissions

Date:

2024-October-09

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Access bypass

Affected versions:

>=1.0.0 <1.2.0

CVE IDs:

CVE-2024-13282

Description:

This module enables you to manage blocks from specific modules in the specific themes.

The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route "block.admin_add"). The attacker can add the block to the theme where they can't manage blocks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks provided by [provider]".

Solution:

Install the latest version:

If you use the block_permissions module for Drupal 8.x, upgrade to block_permissions version at least 8.x-1.2 or the more recent 8.x-1.3

Reported By:

Francesco Sardara

Fixed By:

Coordinated By:

Greg Knaddison of the Drupal Security Team
Juraj Nemec of the Drupal Security Team

Contribution record

Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community