Vulnerability from drupal
This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations (modify, delete, duplicate).
This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough.
Information disclosure
Several routes only checked for the 'access content' permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question.
Access bypass
The paragraphs_item.add_page route previously allowed anyone with the 'access content' permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type.
These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "access content" which is commonly assigned to all roles.
{
"affected": [
{
"database_specific": {
"affected_versions": "\u003c1.23.0 || \u003e=2.0.0 \u003c2.0.2"
},
"package": {
"ecosystem": "Packagist:https://packages.drupal.org/8",
"name": "drupal/paragraphs_table"
},
"ranges": [
{
"database_specific": {
"constraint": "\u003c1.23.0"
},
"events": [
{
"introduced": "0"
},
{
"fixed": "1.23.0"
}
],
"type": "ECOSYSTEM"
},
{
"database_specific": {
"constraint": "\u003e=2.0.0 \u003c2.0.2"
},
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.2"
}
],
"type": "ECOSYSTEM"
}
],
"severity": []
}
],
"aliases": [
"CVE-2024-13272"
],
"credits": [
{
"contact": [
"https://www.drupal.org/user/592268"
],
"name": "James Williams"
}
],
"details": "This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations (modify, delete, duplicate).\n\nThis module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough.\n\nInformation disclosure\n----------------------\n\nSeveral routes *only* checked for the \u0027access content\u0027 permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question.\n\nAccess bypass\n-------------\n\nThe `paragraphs_item.add_page` route previously allowed anyone with the \u0027access content\u0027 permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type.\n\nThese vulnerabilities are mitigated by the fact that an attacker must have a role with the permission \"access content\" which is commonly assigned to all roles.",
"id": "DRUPAL-CONTRIB-2024-036",
"modified": "2025-02-20T19:23:09.000Z",
"published": "2024-09-04T15:42:05.000Z",
"references": [
{
"type": "WEB",
"url": "https://www.drupal.org/sa-contrib-2024-036"
}
],
"schema_version": "1.7.0"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.