View online: https://www.drupal.org/sa-contrib-2018-008
Project: Entity Reference Tab / Accordion Formatter [1] Date: 2018-February-07 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting
Description: This module enables you to show referenced entities in tabs.
The module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content of the content type that is referenced.
Solution: Install the latest version:
* If you use the Entity Reference Tab / Accordion Formatter module for Drupal 8.x, upgrade to 8.x-1.3 [3]
Reported By: * Tatar Balazs Janos [4] Provisional Security Team member
Fixed By: * Tatar Balazs Janos [5] Provisional Security Team member * Rakesh James [6] the module maintainer
Coordinated By: * Tatar Balazs Janos [7] Provisional Security Team member
[1] https://www.drupal.org/project/entity_ref_tab_formatter [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/entity_ref_tab_formatter/releases/8.x-1.3 [4] https://www.drupal.org/u/tatarbj [5] https://www.drupal.org/u/tatarbj [6] https://www.drupal.org/user/1177822 [7] https://www.drupal.org/u/tatarbj