[Security-news] Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038
security-news at drupal.org
security-news at drupal.org
Wed Mar 13 17:37:13 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-038
Project: Simple hierarchical select [1]
Date: 2019-March-13
Security risk: *Moderately critical* 10∕25
AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site request forgery
Description:
Simple hierarchical select defines a new form widget for taxonomy fields to
select a term by "browsing" through the vocabularies hierarchy. It also
allows users to create new taxonomy terms using its widget directly in the
node form.
Version 7.x of Simple hierarchical select doesn't sufficiently checks
permission when creating new terms so attackers can create arbitrary taxonomy
terms in any vocabularies the victim has access to..
This vulnerability is mitigated by the fact that an attacker must trick a
user with permission to create terms to visit a specially prepared web page
controlled by the attacker.
Solution:
Install the latest version:
* If you use /Simple hierarchical select/ prior to 7.x-1.7 update to
7.x-1.8
[3]
* If you are unable to update, simply deactivate the option to allow
creating new terms in the widget settings.
Note that the Drupal 8 version of this module is unaffected.
Reported By:
* Ayesh Karunaratne [4]
Fixed By:
* Ayesh Karunaratne [5]
* Stefan Borchert [6]
* Greg Knaddison [7] of the Drupal Security Team
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/shs
[2] https://www.drupal.org/security-team/risk-levels
[3] node/3039685
[4] https://www.drupal.org/user/796148
[5] https://www.drupal.org/user/796148
[6] https://www.drupal.org/user/36942
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/36762
More information about the Security-news
mailing list