Security Advisory IBEXA-SA-2022-008: The policy "taxonomy/assign" has no effect

Publication date: 07/10/2022, 16:03

Severity: High

Affected versions: ibexa/taxonomy v4.2.*
Resolving versions: ibexa/taxonomy v4.2.2

This vulnerability affects taxonomy in Ibexa Content, Experience and Commerce v4.2. Content Items can be assigned to tags even if the user does not have the "taxonomy/assign" policy. The fix ensure the policy is enforced as it should. It is included in Ibexa Content, Experience and Commerce v4.2.2, which were released today.

Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/

All security advisories

Tech blog

Get started with Ibexa DXP

Tutorials

Training

Slack

GitHub

Product roadmap

Community packages

REST API reference

GraphQL API docs

Product security at Ibexa

Security Advisories

Software service life

Issue tracker

Security advisory: IBEXA-SA-2022-008

The policy "taxonomy/assign" has no effect