DRUPAL-CONTRIB-2024-046

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/block_permissions/DRUPAL-CONTRIB-2024-046.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2024-046

Aliases

CVE-2024-13282

Published

2024-10-09T15:48:11Z

Modified

2025-12-10T23:41:30.368537Z

Summary

[none]

Details

This module enables you to manage blocks from specific modules in the specific themes.

The module doesn't sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route "block.admin_add"). The attacker can add the block to the theme where they can't manage blocks.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks provided by [provider]".

References

https://www.drupal.org/sa-contrib-2024-046

Credits

- Francesco Sardara
- - https://www.drupal.org/user/2353864

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/block_permissions

Package

Name: drupal/block_permissions
Purl: pkg:composer/drupal/block_permissions

Affected ranges

Type

ECOSYSTEM

Events

Introduced

1.0.0

Fixed

1.2.0

Database specific

{
    "constraint": ">=1.0.0 <1.2.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/block_permissions/DRUPAL-CONTRIB-2024-046.json"

affected_versions

">=1.0.0 <1.2.0"