DRUPAL-CONTRIB-2024-036

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/paragraphs_table/DRUPAL-CONTRIB-2024-036.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-036
Aliases
  • CVE-2024-13272
Published
2024-09-04T15:42:05Z
Modified
2025-12-10T23:41:31.977280Z
Summary
[none]
Details

This module enables field collections to be displayed as tables. It supports display suite and field permissions and provides operations (modify, delete, duplicate).

This module has multiple vulnerabilities due to the requirements on the routes it provides not being restrictive enough.

Information disclosure

Several routes only checked for the 'access content' permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question.

Access bypass

The paragraphs_item.add_page route previously allowed anyone with the 'access content' permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type.

These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "access content" which is commonly assigned to all roles.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/paragraphs_table

Package

Name
drupal/paragraphs_table
Purl
pkg:composer/drupal/paragraphs_table

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.23.0
Database specific 
{
    "constraint": "<1.23.0"
}
Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.2
Database specific 
{
    "constraint": ">=2.0.0 <2.0.2"
}

Database specific

source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/paragraphs_table/DRUPAL-CONTRIB-2024-036.json"
affected_versions 
"<1.23.0 || >=2.0.0 <2.0.2"