Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093

Project: Taxonomy access fixVersion: 8.x-2.68.x-2.58.x-2.4Date: 2019-December-11Security risk: Moderately critical 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:AllVulnerability: Access bypassDescription: This module extends access handling of Drupal Core's Taxonomy module.
The module doesn't sufficiently check,

  • if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms.
  • if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes.

The vulnerability is mitigated by the facts, that

  • the user interface to change the status of Taxonomy Terms has been released in Drupal Core 8.8 and a custom or contributed module is required in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
  • all entity operations (except the view operation) available on affected administrative routes still require appropriate permissions.
  • an attacker must have a role with permission to either access content or view a Taxonomy Term in a vocabulary.

Solution: Install the latest version:

Also see the Taxonomy Access Fix project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article