Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-December-11
Vulnerability:
Access bypass
Affected versions:
<2.7.0
Description:
This module extends access handling of Drupal Core's Taxonomy module.
The module doesn't sufficiently check,
- if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms.
- if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes.
The vulnerability is mitigated by the facts, that
- the user interface to change the status of Taxonomy Terms has been released in Drupal Core 8.8 and a custom or contributed module is required in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
- all entity operations (except the view operation) available on affected administrative routes still require appropriate permissions.
- an attacker must have a role with permission to either access content or view a Taxonomy Term in a vocabulary.
Solution:
Install the latest version:
- If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy Access Fix 8.x-2.7
Also see the Taxonomy Access Fix project page.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team
