Fieldable Panels Panes - Less Critical - Access bypass - SA-CONTRIB-2015-145

Fieldable Panels Panes enables you to create custom panes for embedding in Panels-based displays (Page Manager, Panelizer, Panels Everywhere) via a fieldable custom entity type.

The module doesn’t sufficiently check for permission to edit existing Fieldable Panels Panes entities, thus allowing someone to modify a pane they don’t have permission to edit.

This vulnerability is mitigated by the fact that an attacker must have a role with the necessary permissions to edit a panels display that has a custom pane, and it’s uncommon that someone is given access to this functionality and not also permission to edit the panes.

CVE identifier(s) issued

• CVE-2015-7227

Versions affected

• Fieldable Panels Panes 7.x-1.x versions prior to 7.x-1.7.

Drupal core is not affected. If you do not use the contributed Fieldable Panels Panes (FPP) module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Fieldable Panels Panes for Drupal 7, upgrade to Fieldable Panels Panels 7.x-1.7.

Also see the Fieldable Panels Panes (FPP) project page.

Reported by

• Chris Burge

Fixed by

• Chris Burge
• Damien McKenna, the module maintainer.
• David Snopek of the Drupal Security Team.

Coordinated by

• David Snopek of the Drupal Security Team.