"Ricochet has been invaluable in taking our website to the next level. Throughout the development process, they met every need and were able to find creative solutions for every curveball we threw at them. Their knowledge of the latest web technologies, professionalism, and responsiveness brought everything together for us. I can highly recommend Ricochet Consulting to anyone looking to surge past their competition."
—Scott M. Wayne,

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001

Wed, 2023-01-11 09:15 — Anonymous (not verified)

Project: Private Taxonomy TermsDate: 2023-January-11Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:DefaultVulnerability: Access bypassDescription: This module enables users to create 'private' vocabularies.
The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies" Solution: Install the latest version:

If you use the Private Taxonomy Terms module for Drupal 8.x, upgrade to Private Taxonomy Terms 8.x-2.6

Reported By:

Giuseppe

Fixed By:

Coordinated By:

Damien McKenna of the Drupal Security Team
Jess of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2023-001

Search form

Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001