View online: https://www.drupal.org/sa-contrib-2019-093 Project: Taxonomy access fix [1] Version: 8.x-2.68.x-2.58.x-2.4 Date: 2019-December-11 Security risk: *Moderately critical* 13∕25 AC:None/A:User/CI:Some/II:None/E:Theoretical/TD:All [2] Vulnerability: Access bypass Description:  This module extends access handling of Drupal Core's Taxonomy module. The module doesn't sufficiently check, * if a given entity should be access controlled, defaulting to allowing access even to unpublished Taxonomy Terms. * if certain administrative routes should be access controlled, defaulting to allowing access even to users without permission to access these administrative routes. The vulnerability is mitigated by the facts, that * the user interface to change the status of Taxonomy Terms has been released in Drupal Core 8.8 and a custom or contributed module is required in earlier versions of Drupal Core to mark Taxonomy Terms as unpublished. * all entity operations (except the view operation) available on affected administrative routes still require appropriate permissions. * an attacker must have a role with permission to either access content or view a Taxonomy Term in a vocabulary. Solution:  Install the latest version: * If you use taxonomy_access_fix 8.x-2.4 or later, upgrade to Taxonomy Access Fix 8.x-2.7 [3] Also see the Taxonomy Access Fix project page [4]. Reported By:  * guedressel [5] Fixed By:  * Julian Pustkuchen [6] * Patrick Fey [7] * Oleh Vehera [8] * guedressel [9] Coordinated By:  * Greg Knaddison [10] of the Drupal Security Team * Damien McKenna [11] of the Drupal Security Team [1] https://www.drupal.org/project/taxonomy_access_fix [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/taxonomy_access_fix/releases/8.x-2.7 [4] https://www.drupal.org/project/taxonomy_access_fix [5] https://www.drupal.org/user/266710 [6] https://www.drupal.org/user/291091 [7] https://www.drupal.org/user/998680 [8] https://www.drupal.org/user/3260314 [9] https://www.drupal.org/user/266710 [10] https://www.drupal.org/u/greggles [11] https://www.drupal.org/u/damienmckenna