[Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056
security-news at drupal.org
security-news at drupal.org
Wed Sep 7 17:36:48 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-056
Project: Permissions by Term [1]
Version: 3.1.18
Date: 2022-September-07
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module enables you to set content permissions based on taxonomy terms.
The module doesn't sufficiently restrict access to translated and unpublished
nodes.
This vulnerability is mitigated by the fact that it only affects sites with
translated content.
Solution:
Install the latest version:
* If you use the Permissions by Term module for Drupal 9.x, upgrade to
version 3.1.19 [3]
Reported By:
* federico prato [4]
Fixed By:
* federico prato [5]
* Peter Majmesku [6]
* Jess [7] of the Drupal Security Team
Coordinated By:
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/permissions_by_term
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/permissions_by_term/releases/3.1.19
[4] https://www.drupal.org/user/1631800
[5] https://www.drupal.org/user/1631800
[6] https://www.drupal.org/user/786132
[7] https://www.drupal.org/user/65776
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762
More information about the Security-news
mailing list