Description
The Field API Pane Editor module adds a contextual link to Field API Panel Panes to edit individual field values inline.
The module registered its field edit route with an access callback that unconditionally granted menu-level access to all users including anonymous visitors. Although entity and field access checks existed inside the page callback, placing them there rather than in a dedicated access callback bypasses Drupal's standard routing-level access architecture, allowing unauthenticated requests to reach the controller before any permission is evaluated.
This vulnerability is mitigated by the fact that entity and field access checks within the page callback may still deny access on sites where those APIs are correctly configured, but no such guarantee exists across all entity types and field configurations.
Solution
Install the latest version.
If you use the Field API Pane Editor (FAPE) module for Drupal 7, upgrade to fape 7.x-1.3:
Reported by
Fixed by
- Tag1 D7ES
- Damien McKenna (damienmckenna)
Coordinated by
- Tag1 D7ES