Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056
  • Date: Wed, 7 Sep 2022 17:36:48 +0000 (UTC)
  • Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 43DBC418B3
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4CFF241C64
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4C10F405E8
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8E215405D7
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-056

Project: Permissions by Term [1]
Version: 3.1.18
Date: 2022-September-07
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module enables you to set content permissions based on taxonomy terms.

The module doesn't sufficiently restrict access to translated and unpublished
nodes.

This vulnerability is mitigated by the fact that it only affects sites with
translated content.

Solution: 
Install the latest version:

* If you use the Permissions by Term module for Drupal 9.x, upgrade to
version 3.1.19 [3]

Reported By: 
* federico prato [4]

Fixed By: 
* federico prato [5]
* Peter Majmesku [6]
* Jess [7] of the Drupal Security Team

Coordinated By: 
* Damien McKenna [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/permissions_by_term
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/permissions_by_term/releases/3.1.19
[4] https://www.drupal.org/user/1631800
[5] https://www.drupal.org/user/1631800
[6] https://www.drupal.org/user/786132
[7] https://www.drupal.org/user/65776
[8] https://www.drupal.org/user/108450
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2022-056, security-news, 07.09.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang