[Security-news] Taxonomy Term Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-006
security-news at drupal.org
security-news at drupal.org
Wed Jan 31 18:27:09 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-006
Project: Taxonomy Term Reference Tree Widget [1]
Date: 2018-January-31
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
This module provides an expandable tree widget for the Taxonomy Term
Reference field in Drupal 7.
The module doesn't sufficiently sanitize the output of its own defined field
formatter.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission that allows to edit terms of a taxonomy where the module
handles its output.
Solution:
Install the latest version:
* If you use the Taxonomy Term Reference Tree Widget module for Drupal 7.x,
upgrade to its 7.x-1.11 [3]
Reported By:
* Tatar Balazs Janos [4]
Fixed By:
* Tatar Balazs Janos [5]
* Sumit Madan [6] the module maintainer
Coordinated By:
* Stella Power [7] of the Drupal Security Team
[1] https://www.drupal.org/project/term_reference_tree
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/term_reference_tree/releases/7.x-1.11
[4] https://www.drupal.org/u/tatarbj
[5] https://www.drupal.org/u/tatarbj
[6] https://www.drupal.org/user/1538790
[7] https://www.drupal.org/u/stella
More information about the Security-news
mailing list