[Security-news] Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001
security-news at drupal.org
security-news at drupal.org
Wed Jan 11 18:41:25 UTC 2023
View online: https://www.drupal.org/sa-contrib-2023-001
Project: Private Taxonomy Terms [1]
Date: 2023-January-11
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module enables users to create 'private' vocabularies.
The module doesn't enforce permissions appropriately for the taxonomy
overview page and overview form.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer own taxonomy" or "View private taxonomies"
Solution:
Install the latest version:
* If you use the Private Taxonomy Terms module for Drupal 8.x, upgrade to
Private Taxonomy Terms 8.x-2.6 [3]
Reported By:
* Giuseppe [4]
Fixed By:
* Conrad Lara [5]
* Giuseppe [6]
Coordinated By:
* Damien McKenna [7] of the Drupal Security Team
* Jess [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team
[1] https://www.drupal.org/project/private_taxonomy
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/private_taxonomy/releases/8.x-2.6
[4] https://www.drupal.org/user/3521392
[5] https://www.drupal.org/user/1790054
[6] https://www.drupal.org/user/3521392
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/36762
More information about the Security-news
mailing list