Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046
Project: Block permissionsDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=1.0.0 <1.2.0Description: This module enables you to manage blocks from specific modules in the specific themes.
The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route "block.admin_add"). The attacker can add the block to the theme where they can't manage blocks.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks provided by [provider]".Solution: Install the latest version:
- If you use the block_permissions module for Drupal 8.x, upgrade to block_permissions version at least 8.x-1.2 or the more recent 8.x-1.3
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team