Drupa Private Taxonomy Vulnerability Security Update - 20230113001

Overview

Drupal has released a security update to address a vulnerability affecting private vocabulary modules for Drupal 8.x.

An unauthorised user could exploit this vulnerability to bypass access permissions to create, modify, and delete private vocabulary terms.

What is the vulnerability ?

This module enables users to create 'private' vocabularies.

The module doesn't enforce permissions appropriately for the taxonomy overview page and overview form.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer own taxonomy" or "View private taxonomies"

What is vulnerable ?

The vulnerability affects the following products:

• Private Taxonomy Terms - 8.x module:
• Access bypass

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected platforms: https://www.drupal.org/sa-contrib-2023-001

Additional References

• https://www.cisa.gov/uscert/ncas/current-activity/2023/01/12/drupal-releases-security-update-address-vulnerability-private
• https://www.drupal.org/project/private_taxonomy/releases/8.x-2.6
• https://www.drupal.org/project/private_taxonomy