Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001 - Security-news

11 Jan 2023


      View online: https://www.drupal.org/sa-contrib-2023-001
Project: Private Taxonomy Terms [1]
Date: 2023-January-11
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description: 
This module enables users to create 'private' vocabularies.
The module doesn't enforce permissions appropriately for the taxonomy
overview page and overview form.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer own taxonomy" or "View private taxonomies"
Solution: 
Install the latest version:
* If you use the Private Taxonomy Terms module for Drupal 8.x, upgrade to
     Private Taxonomy Terms 8.x-2.6 [3]
Reported By: 
   * Giuseppe  [4]
Fixed By: 
   * Conrad Lara [5]
   * Giuseppe  [6]
Coordinated By: 
   * Damien McKenna [7] of the Drupal Security Team
   * Jess [8] of the Drupal Security Team
   * Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/private_taxonomy
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/private_taxonomy/releases/8.x-2.6
[4] https://www.drupal.org/user/3521392
[5] https://www.drupal.org/user/1790054
[6] https://www.drupal.org/user/3521392
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/36762