[IT-SecNots] [Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-068

Project: Permissions by Term [1]
Version: 8.x-1.x-dev
Date: 2019-September-25
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module enables you to control access to content based on taxonomy terms.
The module doesn't sufficiently check if a given entity should be access
controlled, defaulting to allowing access even to unpublished nodes.

The vulnerability is mitigated by the fact that the submodule Permissions by
Entity must also be enabled.

Solution: 
Install the latest version:

  * If you use the Permissions by Term module for Drupal 8.x, upgrade to
    Permissions by Term 8.x-2.11 [3]

Also see the Permissions by Term [4] project page.

Reported By: 
  * Jimmy Henderickx  [5]

Fixed By: 
  * Marc-Oliver Teschke  [6]

Coordinated By: 
  * Heine [7] of the Drupal Security Team
  * Ivo Van Geertruyen [8] of the Drupal Security Team


[1] https://www.drupal.org/project/permissions_by_term
[2] https://www.drupal.org/security-team/risk-levels
[3] https://drupal.org/project/permissions_by_term/releases/8.x-2.11
[4] https://www.drupal.org/project/permissions_by_term
[5] https://www.drupal.org/user/462700
[6] https://www.drupal.org/user/1529744
[7] https://www.drupal.org/u/heine
[8] https://www.drupal.org/u/mrbaileys

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news