Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Project:

Private Taxonomy Terms

Date:

2023-January-11

Security risk:

Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<2.6.0

Description:

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

Solution:

Install the latest version:

If you use the Private Taxonomy Terms module for Drupal 8.x, upgrade to Private Taxonomy Terms 8.x-2.6

Reported By:

Giuseppe

Fixed By:

Coordinated By:

Damien McKenna of the Drupal Security Team
xjm of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter @drupalsecurity or Mastodon drupalsecurity@drupal.community.

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Contact and more information

Contributing organizations for this advisory

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community