Zum Inhalt springen.

Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

Menü für Listeneinstellungen

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

From: security-news AT drupal.org
To: security-news AT drupal.org
Subject: [IT-SecNots] [Security-news] Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014
Date: Wed, 26 Jan 2022 18:45:28 +0000 (UTC)
List-archive: <http://lists.drupal.org/pipermail/security-news/>
List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2022-014

Project: Private Taxonomy Terms [1]
Date: 2022-January-26
Security risk: *Critical* 15∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:All [2]
Vulnerability: Access bypass, Information Disclosure, Multiple
vulnerabilities

Description:
This module enables users to create 'private' vocabularies.

The module doesn't sufficiently check user access permissions when attempting
to view, edit, or add terms to vocabularies, including vocabularies not
managed by the module.

Partial mitigation is available by requiring users have been granted at least
"Administer own taxonomy", "Edit own terms in vocabulary_name" or "Delete
own terms in vocabulary_name" permissions, however this does not mitigate all
known issues.

Solution:
Install the latest version:

* If you use the Private Taxonomy Terms module for Drupal 8 or 9, upgrade to
Private Taxonomy Terms 8.x-2.5 [3]
* If you use the Private Taxonomy Terms module for Drupal 7.x, upgrade to
Private Taxonomy Terms 7.x-1.11 [4]

Reported By:
* Conrad Lara [5]

Fixed By:
* Conrad Lara [6]
* Greg Knaddison [7] of the Drupal Security Team
* Chris [8] of the Drupal Security Team

Coordinated By:
* Greg Knaddison [9] of the Drupal Security Team
* Chris [10] of the Drupal Security Team

[1] https://www.drupal.org/project/private_taxonomy
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/private_taxonomy/releases/8.x-2.5
[4] https://www.drupal.org/project/private_taxonomy/releases/7.x-1.11
[5] https://www.drupal.org/user/1790054
[6] https://www.drupal.org/user/1790054
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/1850070
[9] https://www.drupal.org/user/36762
[10] https://www.drupal.org/user/1850070

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

[IT-SecNots] [Security-news] Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014, security-news, 26.01.2022

Archiv bereitgestellt durch MHonArc 2.6.24.