This module extends access handling of Drupal Core's Taxonomy module.
The module doesn't sufficiently check,
- if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms.
- if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes.
The vulnerability is mitigated by the facts, that
- the user interface to change the status of Taxonomy Terms has been released in Drupal Core 8.8 and a custom or contributed module is required in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
- all entity operations (except the view operation) available on affected administrative routes still require appropriate permissions.
- an attacker must have a role with permission to either access content or view a Taxonomy Term in a vocabulary.
Install the latest version:
- If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy Access Fix 8.x-2.7
Also see the Taxonomy Access Fix project page.
- Greg Knaddison of the Drupal Security Team
- Damien McKenna of the Drupal Security Team