Drupal patches Moderately Critical Private Taxonomy Terms vulnerability

Drupal has patched a Moderately Critical ‘Private Taxonomy Terms’ vulnerability that affect multiple versions of Drupal Core.

A remote attacker could exploit this vulnerability to compromise an affected system.

Drupal’s Private Taxonomy Terms module enables users to create ‘private’ vocabularies.

The Drupal access bypass vulnerability affects Drupal’s Private Taxonomy Terms module, which enables users to create ‘private’ vocabularies.

“The module doesn’t enforce permissions appropriately for the taxonomy overview page and overview form,” Drupal noted in the advisory published on January 11, 2023.

Moreover, Drupal confirmed the flaw is mitigated by the fact that an attacker must have a role with the permission “Administer own taxonomy” or “View private taxonomies.”

Drupal did not publish a CVE for this issue.

If you are running the Private Taxonomy Terms module for Drupal 8.x, upgrade to Private Taxonomy Terms 8.x-2.6.

Related Articles