[Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055
security-news at drupal.org
security-news at drupal.org
Wed Sep 7 17:36:10 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-055
Project: Permissions by Term [1]
Version: 3.1.173.1.163.1.153.1.143.1.133.1.123.1.113.1.103.1.93.1.83.1.73.1.63.1.53.1.43.1.33.1.23.1.13.1.03.0.13.0.0
Date: 2022-September-07
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module enables you to restrict content via taxonomy terms and related
permissions.
The module doesn't sufficiently restrict cached content in certain
circumstances.
This vulnerability is mitigated by the fact that it only occurs when multiple
entity types are enabled in the module.
Solution:
Install the latest version:
* If you use the Permissions by Term module for Drupal 9.x, upgrade to
version 3.1.19 [3]
Reported By:
* ytsurk [4]
* Andy Fowlston [5]
* Joseph [6]
* Julian Pustkuchen [7]
* Aleksi Peebles [8]
Fixed By:
* Peter Majmesku [9]
* ytsurk [10]
* Joseph [11]
* Julian Pustkuchen [12]
* Aleksi Peebles [13]
* Ambient.Impact [14]
* Stephen Mustgrave [15]
* Jay McGraw [16]
Coordinated By:
* Damien McKenna [17] of the Drupal Security Team
* Greg Knaddison [18] of the Drupal Security Team
[1] https://www.drupal.org/project/permissions_by_term
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/permissions_by_term/releases/3.1.19
[4] https://www.drupal.org/user/1153644
[5] https://www.drupal.org/user/220112
[6] https://www.drupal.org/user/3426415
[7] https://www.drupal.org/user/291091
[8] https://www.drupal.org/user/191965
[9] https://www.drupal.org/user/786132
[10] https://www.drupal.org/user/1153644
[11] https://www.drupal.org/user/3426415
[12] https://www.drupal.org/user/291091
[13] https://www.drupal.org/user/191965
[14] https://www.drupal.org/user/1131532
[15] https://www.drupal.org/user/3252890
[16] https://www.drupal.org/user/1124326
[17] https://www.drupal.org/user/108450
[18] https://www.drupal.org/user/36762
More information about the Security-news
mailing list