View online: https://www.drupal.org/sa-contrib-2022-055
Project: Permissions by Term [1] Version: 3.1.173.1.163.1.153.1.143.1.133.1.123.1.113.1.103.1.93.1.83.1.73.1.63.1.53.1.43.1.33.1.23.1.13.1.03.0.13.0.0 Date: 2022-September-07 Security risk: *Moderately critical* 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2] Vulnerability: Access bypass
Description: This module enables you to restrict content via taxonomy terms and related permissions.
The module doesn't sufficiently restrict cached content in certain circumstances.
This vulnerability is mitigated by the fact that it only occurs when multiple entity types are enabled in the module.
Solution: Install the latest version:
* If you use the Permissions by Term module for Drupal 9.x, upgrade to version 3.1.19 [3]
Reported By: * ytsurk [4] * Andy Fowlston [5] * Joseph [6] * Julian Pustkuchen [7] * Aleksi Peebles [8]
Fixed By: * Peter Majmesku [9] * ytsurk [10] * Joseph [11] * Julian Pustkuchen [12] * Aleksi Peebles [13] * Ambient.Impact [14] * Stephen Mustgrave [15] * Jay McGraw [16]
Coordinated By: * Damien McKenna [17] of the Drupal Security Team * Greg Knaddison [18] of the Drupal Security Team
[1] https://www.drupal.org/project/permissions_by_term [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/permissions_by_term/releases/3.1.19 [4] https://www.drupal.org/user/1153644 [5] https://www.drupal.org/user/220112 [6] https://www.drupal.org/user/3426415 [7] https://www.drupal.org/user/291091 [8] https://www.drupal.org/user/191965 [9] https://www.drupal.org/user/786132 [10] https://www.drupal.org/user/1153644 [11] https://www.drupal.org/user/3426415 [12] https://www.drupal.org/user/291091 [13] https://www.drupal.org/user/191965 [14] https://www.drupal.org/user/1131532 [15] https://www.drupal.org/user/3252890 [16] https://www.drupal.org/user/1124326 [17] https://www.drupal.org/user/108450 [18] https://www.drupal.org/user/36762