[Security-news] Taxonomy File Tree - Moderately critical - Access bypass - SA-CONTRIB-2018-061
security-news at drupal.org
security-news at drupal.org
Wed Sep 26 17:06:24 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-061
Project: Taxonomy File Tree [1]
Version: 7.x-1.0
Date: 2018-September-26
Security risk: *Moderately critical* 13∕25
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass
Description:
Taxonomy File Tree allows site managers to create file trees.
For files managed as Drupal files, the module does not properly check that a
user has access to a file before letting the user download the file.
This vulnerability only affects sites that use private files.
Solution:
Install the latest version:
* If you use the Taxonomy File Tree module for Drupal 7.x, upgrade to
Taxonomy File Tree 7.x-1.1 [3]
Also see the Taxonomy File Tree [4] project page.
Reported By:
* Nathaniel Catchpole [5] of the Drupal Security Team
Fixed By:
* James Aparicio [6]
* Nathaniel Catchpole [7] of the Drupal Security Team
* Francesco Placella [8]
Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/tft
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tft/releases/7.x-1.1
[4] https://www.drupal.org/project/tft
[5] https://www.drupal.org/user/35733
[6] https://www.drupal.org/user/2547544
[7] https://www.drupal.org/user/35733
[8] https://www.drupal.org/user/183211
[9] https://www.drupal.org/user/32672
More information about the Security-news
mailing list