[IT-SecNots] [Security-news] Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2022-047

Project: Config Terms [1]
Date: 2022-June-29
Security risk: *Critical* 15∕25
AC:Basic/A:User/CI:Some/II:Some/E:Proof/TD:All [2]
Vulnerability: Access bypass

Description: 
This module enables you to create and manage a version of taxonomy based on
configuration entities instead of content.  This allows the terms,
vocabularies, and their structure to be exported, imported, and managed as
site configuration.

The module doesn't sufficiently check access for the edit and delete
operations. Users with "access content" permission can edit or delete any
term. The edit form may expose term data that users could not otherwise see,
since there is no term view route by default.

This vulnerability is slightly mitigated by the fact that an attacker must
have a role with the permission "access content", so may not be accessible to
anonymous users on all sites.

Solution: 
Install the latest version:

  * If you use the Config Terms module for Drupal 9.x, upgrade to Config 
Terms
    8.x-1.6 [3] or later

Reported By: 
  * Emil Johnsson [4]

Fixed By: 
  * Emil Johnsson [5]
  * Justin Ludwig [6]


[1] https://www.drupal.org/project/config_terms
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/config_terms/releases/8.x-1.6
[4] https://www.drupal.org/user/1868992
[5] https://www.drupal.org/user/1868992
[6] https://www.drupal.org/user/669258

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news