[IT-SecNots] [Security-news] Taxonomy Manager - Moderately critical - Access bypass - SA-CONTRIB-2021-035

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-035

Project: Taxonomy Manager [1]
Date: 2021-September-22
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module provides a powerful interface for managing a taxonomy vocabulary.
A vocabulary gets displayed in a dynamic tree view, where parent terms can be
expanded to list their nested child terms or can be collapsed.

The module does not take the correct user permissions into account, allowing
an attacker to delete and move terms.

The issue is mitigated by the fact that an attacker must have permission to
create terms in the targeted vocabulary.

Solution: 
Install the latest version:

  * If you use the Taxonomy Manager module for Drupal 8 or 9, upgrade to
    Taxonomy Manager 2.0.6 [3]

Reported By: 
  * Klaus Purer [4]

Fixed By: 
  * Matthias Hutterer [5]
  * Klaus Purer [6]
  * Ales Bencina [7]

Coordinated By: 
  * Damien McKenna [8] of the Drupal Security Team
  * Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/taxonomy_manager
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/taxonomy_manager/releases/2.0.6
[4] https://www.drupal.org/user/262198
[5] https://www.drupal.org/user/59747
[6] https://www.drupal.org/user/262198
[7] https://www.drupal.org/user/3558110
[8] https://www.drupal.org/u/damienmckenna
[9] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news