DRUPAL-CONTRIB-2019-093

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/taxonomy_access_fix/DRUPAL-CONTRIB-2019-093.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2019-093
Published
2019-12-11T18:32:17Z
Modified
2025-12-10T23:33:10.043939Z
Summary
[none]
Details

This module extends access handling of Drupal Core's Taxonomy module.

The module doesn't sufficiently check,

  • if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms.
  • if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes.

The vulnerability is mitigated by the facts, that

  • the user interface to change the status of Taxonomy Terms has been released in Drupal Core 8.8 and a custom or contributed module is required in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished.
  • all entity operations (except the view operation) available on affected administrative routes still require appropriate permissions.
  • an attacker must have a role with permission to either access content or view a Taxonomy Term in a vocabulary.
References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/taxonomy_access_fix

Package

Name
drupal/taxonomy_access_fix
Purl
pkg:composer/drupal/taxonomy_access_fix

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.0
Database specific 
{
    "constraint": "<2.7.0"
}

Database specific

source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/taxonomy_access_fix/DRUPAL-CONTRIB-2019-093.json"
affected_versions 
"<2.7.0"