Moderately Critical Tagify Security Update

Staff Reporter

According to Drupal.org this module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.

The module doesn't sufficiently check access for the add operation. Users with permission to edit content can view and reference unpublished terms. The edit form may expose term data that users could not otherwise see, since there is no term view route by default.

This vulnerability is slightly mitigated by the fact that an attacker must have a role with the permission "access content", so may not be accessible to anonymous users on all sites.

Solution:
Install the latest version:

If you use the Tagify module for Drupal 9.x, upgrade to Tagify 1.0.5

Source:

Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051

Follow TheDropTimes on LinkedIn for more updatesFOLLOW

Comment

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

Security Update