Taxonomy File Tree allows site managers to create file trees.
For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file.
This vulnerability only affects sites that use private files.
Install the latest version:
- If you use the Taxonomy File Tree module for Drupal 7.x, upgrade to Taxonomy File Tree 7.x-1.1
Also see the Taxonomy File Tree project page.
- Nathaniel Catchpole of the Drupal Security Team
- James Aparicio
- Nathaniel Catchpole of the Drupal Security Team
- Francesco Placella
- Greg Knaddison of the Drupal Security Team