Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014

Project: Private Taxonomy Terms
Date: 2022-January-26
Security risk: Critical 15∕25
Vulnerability: Access bypass, Information Disclosure, Multiple vulnerabilities

Description

This module enables users to create 'private' vocabularies.

The module doesn't sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module.

Partial mitigation is available by requiring users have been granted at least "Administer own taxonomy", "Edit own terms in vocabulary_name" or "Delete own terms in vocabulary_name" permissions, however this does not mitigate all known issues.

Solution

Install the latest version:

If you use the Private Taxonomy Terms module for Drupal 8 or 9, upgrade to Private Taxonomy Terms 8.x-2.5
If you use the Private Taxonomy Terms module for Drupal 7.x, upgrade to Private Taxonomy Terms 7.x-1.11