Multiple Critical Vulnerabilities in the Private Taxonomy Terms Module!
The Drupal Security team announced Critical Access bypass, Information Disclosure, and other multiple vulnerabilities in the Private Taxonomy Terms module SA-CONTRIB-2022-014 on January 26th, 2022. The module enables users to create ‘private’ vocabularies. The vulnerability is caused as the module doesn’t sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module.
Partial mitigation is made available by the requirement of user permissions such as, "Administer own taxonomy", "Edit own terms in vocabulary_name" or "Delete own terms in vocabulary_name" permissions: However this does not mitigate all known issues.
Solution:
- In Drupal 8 or 9, if you use the Private Taxonomy Terms module, upgrade to Private Taxonomy Terms 8.x-2.5
- If you use the Private Taxonomy Terms module in Drupal 7.x, upgrade to Private Taxonomy Terms 7.x-1.11
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.