Simple hierarchical select - Moderately Critical - Cross Site Scripting

Description

The Simple hierarchical select (SHS) module provides hierarchical select widgets for taxonomy term reference fields in Drupal 7, allowing users to select terms from nested hierarchies through cascading select lists.

The module doesn't properly sanitize term names when outputting them in field formatters and JSON data, leaving them vulnerable to Cross-Site Scripting (XSS) attacks through unsanitized HTML content in taxonomy term names.

This vulnerability is mitigated by the requirement for administrative privileges to create or modify taxonomy terms, limiting the attack surface to trusted users with content management permissions. Additionally, the vulnerability only affects sites using the SHS field formatter in unlinked display mode or sites that cache term data for JavaScript components.

Solution

Upgrade to Simple hierarchical select 7.x-1.12 or later.

If you use the Simple hierarchical select module for Drupal 7, upgrade to shs 7.x-1.12:

• shs-7.x-1.12.tar.gz
• shs-7.x-1.12.zip

Reported by

• Ra Mänd (ram4nd)

Fixed by

• Ivo Van Geertruyen (mr.baileys)
• André Angelantoni (aangel)
• Damien McKenna (damienmckenna)

Coordinated by

• J.D. Flynn (dorficus)
• Tag1 D7ES