[Security-news] Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-014

Project: Private Taxonomy Terms [1]
Date: 2022-January-26
Security risk: *Critical* 15∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass, Information Disclosure, Multiple
vulnerabilities

Description: 
This module enables users to create 'private' vocabularies.

The module doesn't sufficiently check user access permissions when attempting
to view, edit, or add terms to vocabularies, including vocabularies not
managed by the module.

Partial mitigation is available by requiring users have been granted at least
    "Administer own taxonomy", "Edit own terms in vocabulary_name" or  "Delete
own terms in vocabulary_name" permissions, however this does not mitigate all
known issues.

Solution: 
Install the latest version:

   * If you use the Private Taxonomy Terms module for Drupal 8 or 9, upgrade 
to
     Private Taxonomy Terms 8.x-2.5 [3]
   * If you use the Private Taxonomy Terms module for Drupal 7.x, upgrade to
     Private Taxonomy Terms 7.x-1.11 [4]

Reported By: 
   * Conrad Lara [5]

Fixed By: 
   * Conrad Lara [6]
   * Greg Knaddison [7] of the Drupal Security Team
   * Chris  [8] of the Drupal Security Team

Coordinated By: 
   * Greg Knaddison [9] of the Drupal Security Team
   * Chris  [10] of the Drupal Security Team


[1] https://www.drupal.org/project/private_taxonomy
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/private_taxonomy/releases/8.x-2.5
[4] https://www.drupal.org/project/private_taxonomy/releases/7.x-1.11
[5] https://www.drupal.org/user/1790054
[6] https://www.drupal.org/user/1790054
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/1850070
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/1850070