Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001
  • Date: Wed, 11 Jan 2023 18:41:25 +0000 (UTC)
  • Authentication-results: mail.piratenpartei.de; dkim=none; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org E651D41B94
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9078D41B76
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 593798205D
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 9CDEB82053
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-001

Project: Private Taxonomy Terms [1]
Date: 2023-January-11
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy
overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer own taxonomy" or "View private taxonomies"

Solution: 
Install the latest version:

* If you use the Private Taxonomy Terms module for Drupal 8.x, upgrade to
Private Taxonomy Terms 8.x-2.6 [3]

Reported By: 
* Giuseppe [4]

Fixed By: 
* Conrad Lara [5]
* Giuseppe [6]

Coordinated By: 
* Damien McKenna [7] of the Drupal Security Team
* Jess [8] of the Drupal Security Team
* Greg Knaddison [9] of the Drupal Security Team


[1] https://www.drupal.org/project/private_taxonomy
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/private_taxonomy/releases/8.x-2.6
[4] https://www.drupal.org/user/3521392
[5] https://www.drupal.org/user/1790054
[6] https://www.drupal.org/user/3521392
[7] https://www.drupal.org/user/108450
[8] https://www.drupal.org/user/65776
[9] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001, security-news, 11.01.2023

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang