Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2018-September-26
Vulnerability:
Access bypass
Description:
Taxonomy File Tree allows site managers to create file trees.
For files managed as Drupal files, the module does not properly check that a user has access to a file before letting the user download the file.
This vulnerability only affects sites that use private files.
Solution:
Install the latest version:
- If you use the Taxonomy File Tree module for Drupal 7.x, upgrade to Taxonomy File Tree 7.x-1.1
Also see the Taxonomy File Tree project page.
Reported By:
- Nathaniel Catchpole of the Drupal Security Team
Fixed By:
- James Aparicio
- Nathaniel Catchpole of the Drupal Security Team
- Francesco Placella
Coordinated By:
- Greg Knaddison of the Drupal Security Team
