Paragraphs table - Critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-036
Project: Paragraphs tableDate: 2024-September-04Security risk: Critical 15∕25 AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass, Information DisclosureAffected versions: <1.23.0 || >=2.0.0 <2.0.2Description: This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations (modify, delete, duplicate).
This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough.
Information disclosure
Several routes only checked for the 'access content' permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question.
Access bypass
The paragraphs_item.add_page
route previously allowed anyone with the 'access content' permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type.
These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "access content" which is commonly assigned to all roles.Solution: Install the latest version:
- If you use the paragraphs_table module 8.x-1.x, upgrade to paragraphs_table 8.x-1.23
- If you use the paragraphs_table module 2.0.x, upgrade to paragraphs_table 2.0.2 or newer
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Jess of the Drupal Security Team
- Juraj Nemec of the Drupal Security Team