it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055
- Date: Wed, 7 Sep 2022 17:36:10 +0000 (UTC)
- Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 6531E41829
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 27F0D401E7
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 1FA12416E7
- Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 2F7CC416E3
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-055
Project: Permissions by Term [1]
Version:
3.1.173.1.163.1.153.1.143.1.133.1.123.1.113.1.103.1.93.1.83.1.73.1.63.1.53.1.43.1.33.1.23.1.13.1.03.0.13.0.0
Date: 2022-September-07
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass
Description:
This module enables you to restrict content via taxonomy terms and related
permissions.
The module doesn't sufficiently restrict cached content in certain
circumstances.
This vulnerability is mitigated by the fact that it only occurs when multiple
entity types are enabled in the module.
Solution:
Install the latest version:
* If you use the Permissions by Term module for Drupal 9.x, upgrade to
version 3.1.19 [3]
Reported By:
* ytsurk [4]
* Andy Fowlston [5]
* Joseph [6]
* Julian Pustkuchen [7]
* Aleksi Peebles [8]
Fixed By:
* Peter Majmesku [9]
* ytsurk [10]
* Joseph [11]
* Julian Pustkuchen [12]
* Aleksi Peebles [13]
* Ambient.Impact [14]
* Stephen Mustgrave [15]
* Jay McGraw [16]
Coordinated By:
* Damien McKenna [17] of the Drupal Security Team
* Greg Knaddison [18] of the Drupal Security Team
[1] https://www.drupal.org/project/permissions_by_term
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/permissions_by_term/releases/3.1.19
[4] https://www.drupal.org/user/1153644
[5] https://www.drupal.org/user/220112
[6] https://www.drupal.org/user/3426415
[7] https://www.drupal.org/user/291091
[8] https://www.drupal.org/user/191965
[9] https://www.drupal.org/user/786132
[10] https://www.drupal.org/user/1153644
[11] https://www.drupal.org/user/3426415
[12] https://www.drupal.org/user/291091
[13] https://www.drupal.org/user/191965
[14] https://www.drupal.org/user/1131532
[15] https://www.drupal.org/user/3252890
[16] https://www.drupal.org/user/1124326
[17] https://www.drupal.org/user/108450
[18] https://www.drupal.org/user/36762
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-055, security-news, 07.09.2022
Archiv bereitgestellt durch MHonArc 2.6.24.