DRUPAL-CONTRIB-2022-051

See a problem?
Import Source
https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tagify/DRUPAL-CONTRIB-2022-051.json
JSON Data
https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2022-051
Published
2022-07-27T17:07:39Z
Modified
2025-12-10T23:32:45.264347Z
Summary
[none]
Details

This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.

The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.

This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.

References
Credits

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/tagify

Package

Name
drupal/tagify
Purl
pkg:composer/drupal/tagify

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.5
Database specific
{
    "constraint": "<1.0.5"
}

Database specific

affected_versions
"<1.0.5"
source
"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tagify/DRUPAL-CONTRIB-2022-051.json"