DRUPAL-CONTRIB-2025-033

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/panels/DRUPAL-CONTRIB-2025-033.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-033

Aliases

CVE-2025-3474

Published

2025-04-09T17:04:56Z

Modified

2025-12-10T23:41:25.585726Z

Summary

[none]

Details

Panels enables administrators to add page variants within page manager, panelizer, etc to create custom pages.

The module doesn't sufficiently protect sensitive routes, allowing an attacker to view and modify blocks within variants without requiring appropriate permission.

This vulnerability is mitigated by the fact that an attacker must know the machine name of the variant and underlying page, which is not available within the source code of a page. Additionally, only simple blocks can be added or edited, as a more complex block will trigger an error due to missing permissions.

References

https://www.drupal.org/sa-contrib-2025-033

Credits

- Manuel Adán (manuel.adan)
- - https://www.drupal.org/u/manueladan

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/panels

Package

Name: drupal/panels
Purl: pkg:composer/drupal/panels

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

4.9.0

Database specific

{
    "constraint": "<4.9.0"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/panels/DRUPAL-CONTRIB-2025-033.json"

affected_versions

"<4.9.0"