Date
Severity
Moderately Critical
Vulnerability
Cross Site Scripting
Affected versions
<7.x-1.12
Description
The Term Reference Tree module provides hierarchical tree displays for taxonomy term reference fields in Drupal 7. The module doesn't properly sanitize token replacement output when displaying selected terms, leaving them vulnerable to Cross-Site Scripting (XSS) attacks through unsanitized HTML content in token output.
This vulnerability is mitigated by the requirement for administrative privileges to create or modify taxonomy terms with malicious content.
Solution
Install the latest version.
If you use the Taxonomy Term Reference Tree Widget module for Drupal 7, upgrade to Term Reference Tree Widget 7.x-1.12:
Reported by
Fixed by
- André Angelantoni (aangel)
- Tag1 D7ES