DRUPAL-CONTRIB-2025-097

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/layout_builder_perms/DRUPAL-CONTRIB-2025-097.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2025-097

Aliases

CVE-2025-8996

Published

2025-08-13T17:33:34Z

Modified

2025-12-10T23:41:27.867104Z

Summary

[none]

Details

The Layout Builder Advanced Permissions module enables you to have fine grained control over who can do what in editing pages built with Layout Builder.

The module doesn't sufficiently control access for adding sections in the submodule.

This vulnerability is mitigated by the fact that an attacker must have a role with a specific set of permissions:

Node: View published content
Node: (Your content type): Create new content
Node: (Your content type): Edit any content
Layout builder: (Your content type): Configure layout overrides for content items that the user can edit
Layout builder advanced permissions: Access Layout Builder page

References

https://www.drupal.org/sa-contrib-2025-097

Credits

- Eelke Blok (eelkeblok)
- - https://www.drupal.org/u/eelkeblok
- Michael Whittaker (mrwhittaker)
- - https://www.drupal.org/u/mrwhittaker

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/layout_builder_perms

Package

Name: drupal/layout_builder_perms
Purl: pkg:composer/drupal/layout_builder_perms

Affected ranges

Type

ECOSYSTEM

Events

Introduced

2.2.0

Last affected

2.2.0

Database specific

{
    "constraint": "2.2.0"
}

Database specific

affected_versions

"2.2.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/layout_builder_perms/DRUPAL-CONTRIB-2025-097.json"