1.0 Introduction
Recently, Drupal has released security update addressing a critical security risk in its Paragraphs table.
2.0 Impact
This vulnerability could potentially allow attackers to execute malicious code on affected systems. Several routes only checked for the 'access content' permission before displaying a paragraph, and did not check whether the user should actually have access to view the paragraph in question.
The paragraphs_item.add_page route previously allowed anyone with the 'access content' permission to add paragraphs to any content regardless of permissions to be able to edit the host field or content, or any other hooks for adjusting access to add paragraphs of that type.
3.0 Affected Products
- paragraphs_table module version prior to 8.x-1.23
- paragraphs_table module version prior to 2.0.2 or later
4.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the Drupal Paragraph Table and apply the necessary updates.
Kindly refer to the following URL: https://www.drupal.org/sa-contrib-2024-036
Generally, Cyber999 advises users of this device to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact Cyber999 through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web: https://www.mycert.org.my
5.0 References