Name of the Vulnerable Software and Affected Versions: Flarum Tags extension versions prior to v0.1.0-beta.13.2 Flarum Tags extension versions prior to v0.1.0-beta.14

Description: This issue allowed any registered user to edit the tags of any discussion for which they have READ access using the REST API. Users were able to remove any existing tag and add any tag in which they are allowed to create discussions. By moving the discussion to new tags, users were able to bypass permissions applied to restricted tags, potentially exposing content that was only visible to certain groups or gaining the ability to interact with content where such interaction was limited. The full impact varies depending on the configuration of permissions and restricted tags.

Recommendations: For Flarum beta 13 forums, update the Tags extension to version v0.1.0-beta.13.2 to fix the issue. For forums that have not yet updated to Flarum beta 13, update to Flarum beta 13 as soon as possible and then update the Tags extension to version v0.1.0-beta.13.2. For forums using Flarum beta 14 or later, update the Tags extension to version v0.1.0-beta.14 or later.