Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056 - Security-news

7 Sep 2022


      View online: https://www.drupal.org/sa-contrib-2022-056
Project: Permissions by Term [1]
Version: 3.1.18
Date: 2022-September-07
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description: 
This module enables you to set content permissions based on taxonomy terms.
The module doesn't sufficiently restrict access to translated and unpublished
nodes.
This vulnerability is mitigated by the fact that it only affects sites with
translated content.
Solution: 
Install the latest version:
* If you use the Permissions by Term module for Drupal 9.x, upgrade to
     version 3.1.19 [3]
Reported By: 
   * federico prato [4]
Fixed By: 
   * federico prato [5]
   * Peter Majmesku [6]
   * Jess  [7] of the Drupal Security Team
Coordinated By: 
   * Damien McKenna [8] of the Drupal Security Team
   * Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/permissions_by_term
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/permissions_by_term/releases/3.1.19
[4] https://www.drupal.org/user/1631800
[5] https://www.drupal.org/user/1631800
[6] https://www.drupal.org/user/786132
[7] https://www.drupal.org/user/65776
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762