Drupal has patched a Moderately Critical ‘Private Taxonomy Terms’ vulnerability that affect multiple versions of Drupal Core.
A remote attacker could exploit this vulnerability to compromise an affected system.
Drupal’s Private Taxonomy Terms module enables users to create ‘private’ vocabularies.
The Drupal access bypass vulnerability affects Drupal’s Private Taxonomy Terms module, which enables users to create ‘private’ vocabularies.
“The module doesn’t enforce permissions appropriately for the taxonomy overview page and overview form,” Drupal noted in the advisory published on January 11, 2023.
Moreover, Drupal confirmed the flaw is mitigated by the fact that an attacker must have a role with the permission “Administer own taxonomy” or “View private taxonomies.”
Drupal did not publish a CVE for this issue.
If you are running the Private Taxonomy Terms module for Drupal 8.x, upgrade to Private Taxonomy Terms 8.x-2.6.
- Microsoft January 2023 Security Updates addresses 98 vulnerabilities (11 rated Critical, 1 zero day)
- CISA adds 2 Microsoft vulnerabilities to Known Exploited Vulnerabilities Catalog (to include 1 Windows zero-day)
- Adobe security updates for Adobe Acrobat and Reader (and other products)
- Apple patches vulnerabilities in iOS 16.2, macOS Ventura 13.1 and other products
- Google fixes Chrome 108 zero-day vulnerability (CVE-2022-4262) exploited in the wild