View online: https://www.drupal.org/sa-contrib-2022-014

Project: Private Taxonomy Terms [1] Date: 2022-January-26 Security risk: *Critical* 15∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities

Description:  This module enables users to create 'private' vocabularies.

The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module.

Partial mitigation is available by requiring users have been granted at least "Administer own taxonomy", "Edit own terms in vocabulary_name" or "Delete own terms in vocabulary_name" permissions, however this does not mitigate all known issues.

Solution:  Install the latest version:

* If you use the Private Taxonomy Terms module for Drupal 8 or 9, upgrade to Private Taxonomy Terms 8.x-2.5 [3] * If you use the Private Taxonomy Terms module for Drupal 7.x, upgrade to Private Taxonomy Terms 7.x-1.11 [4]

Reported By:  * Conrad Lara [5]

Fixed By:  * Conrad Lara [6] * Greg Knaddison [7] of the Drupal Security Team * Chris [8] of the Drupal Security Team

Coordinated By:  * Greg Knaddison [9] of the Drupal Security Team * Chris [10] of the Drupal Security Team

[1] https://www.drupal.org/project/private_taxonomy [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/private_taxonomy/releases/8.x-2.5 [4] https://www.drupal.org/project/private_taxonomy/releases/7.x-1.11 [5] https://www.drupal.org/user/1790054 [6] https://www.drupal.org/user/1790054 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/1850070 [9] https://www.drupal.org/user/36762 [10] https://www.drupal.org/user/1850070