Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

Project:

Permissions by Term

Date:

2019-September-25

Security risk:

Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Affected versions:

<2.11.0

Description:

This module enables you to control access to content based on taxonomy terms. The module doesn't sufficiently check if a given entity should be access controlled, defaulting to allowing access even to unpublished nodes.

The vulnerability is mitigated by the fact that the submodule Permissions by Entity must also be enabled.

Solution:

Install the latest version:

If you use the Permissions by Term module for Drupal 8.x, upgrade to Permissions by Term 8.x-2.11

Also see the Permissions by Term project page.

Reported By:

Jimmy Henderickx

Fixed By:

Marc-Oliver Teschke

Coordinated By:

Heine of the Drupal Security Team
Ivo Van Geertruyen of the Drupal Security Team

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter @drupalsecurity or Mastodon drupalsecurity@drupal.community.

Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068

Contact and more information

Contributing organizations for this advisory

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community