[IT-SecNots] [Security-news] Taxonomy Term Reference Tree Widget - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-006

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-006

Project: Taxonomy Term Reference Tree Widget [1]
Date: 2018-January-31
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
This module provides an expandable tree widget for the Taxonomy Term
Reference field in Drupal 7.

The module doesn't sufficiently sanitize the output of its own defined field
formatter.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission that allows to edit terms of a taxonomy where the module
handles its output.

Solution: 
Install the latest version:

  * If you use the Taxonomy Term Reference Tree Widget module for Drupal 7.x,
    upgrade to its 7.x-1.11 [3]

Reported By: 
  * Tatar Balazs Janos [4]

Fixed By: 
  * Tatar Balazs Janos [5]
  * Sumit Madan [6] the module maintainer

Coordinated By: 
  * Stella Power [7] of the Drupal Security Team


[1] https://www.drupal.org/project/term_reference_tree
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/term_reference_tree/releases/7.x-1.11
[4] https://www.drupal.org/u/tatarbj
[5] https://www.drupal.org/u/tatarbj
[6] https://www.drupal.org/user/1538790
[7] https://www.drupal.org/u/stella

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news