View online: https://www.drupal.org/sa-contrib-2019-038
Project: Simple hierarchical select [1] Date: 2019-March-13 Security risk: *Moderately critical* 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site request forgery
Description: Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form.
Version 7.x of Simple hierarchical select doesn't sufficiently checks permission when creating new terms so attackers can create arbitrary taxonomy terms in any vocabularies the victim has access to.. This vulnerability is mitigated by the fact that an attacker must trick a user with permission to create terms to visit a specially prepared web page controlled by the attacker.
Solution: Install the latest version:
* If you use /Simple hierarchical select/ prior to 7.x-1.7 update to 7.x-1.8 [3] * If you are unable to update, simply deactivate the option to allow creating new terms in the widget settings.
Note that the Drupal 8 version of this module is unaffected.
Reported By: * Ayesh Karunaratne [4]
Fixed By: * Ayesh Karunaratne [5] * Stefan Borchert [6] * Greg Knaddison [7] of the Drupal Security Team
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/shs [2] https://www.drupal.org/security-team/risk-levels [3] node/3039685 [4] https://www.drupal.org/user/796148 [5] https://www.drupal.org/user/796148 [6] https://www.drupal.org/user/36942 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/36762