Affected versions: ibexa/taxonomy v4.2.*
Resolving versions: ibexa/taxonomy v4.2.2
This vulnerability affects taxonomy in Ibexa Content, Experience and Commerce v4.2. Content Items can be assigned to tags even if the user does not have the "taxonomy/assign" policy. The fix ensure the policy is enforced as it should. It is included in Ibexa Content, Experience and Commerce v4.2.2, which were released today.
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/