DRUPAL-CONTRIB-2021-035

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/taxonomy_manager/DRUPAL-CONTRIB-2021-035.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-035
Published
2021-09-22T17:09:11Z
Modified
2025-12-10T23:33:06.281063Z
Summary
[none]
Details

This module provides a powerful interface for managing a taxonomy vocabulary. A vocabulary gets displayed in a dynamic tree view, where parent terms can be expanded to list their nested child terms or can be collapsed.

The module does not take the correct user permissions into account, allowing an attacker to delete and move terms.

The issue is mitigated by the fact that an attacker must have permission to create terms in the targeted vocabulary.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/taxonomy_manager

Package

Name
drupal/taxonomy_manager
Purl
pkg:composer/drupal/taxonomy_manager

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.6
Database specific 
{
    "constraint": "<2.0.6"
}

Database specific

affected_versions 
"<2.0.6"
source 
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/taxonomy_manager/DRUPAL-CONTRIB-2021-035.json"