This is a serious security flaw.
To reproduce:
  1. Create a first-level category named "Customer Content".
  2. Create another first-level category named "Internal Content".
  3. Put one article in each category, and assign the same exact tag to both articles.
  4. Create a Reader Group named "Customers", setting the scope so that they can see only articles inside the "Customer Content" category.
  5. Create a reader account and assign them to the "Customers" Reader group, with the Project scope set to "None".
  6. Log in to the rendered KBsite with that reader account.
  7. View the one available article in the "Customer Content" category and click the displayed tag.
User expectation: The resulting list of articles with that tag should have only one entry: the article that should be visible to that Reader Group.
Actual outcome: The resulting list of articles with that tag has TWO entries, and is showing the title of the article that you created in the "Internal Content" category.
This is a HUGE security flaw. And it renders the Tagging features of Doc360 one hundred percent unusable for us, because it's a massive security flaw.
This is a serious issue because the tagging capabilties are one of the driving features that made us subscribe to Doc360. It would be great to prioritize a fix patch for this.