Moderately Critical XSS Vulnerability in Entity Reference Tree Widget
The Drupal Security Team announced on February 23rd 2022, a moderately critical Cross-Site Scripting (XSS) vulnerability in the Entity Reference Tree Widget module SA-CONTRIB-2022-026. The vulnerability is classified as moderately critical because of the 12∕25 [AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All] Status
The Entity Reference Tree Widget module provides an entity-relationship hierarchy tree widget for an entity reference field. The module provides a combination of an autocomplete text field and a tree view for the reference field as one widget. This module uses the JsTree JavaScript library to render a hierarchy tree of those entities.
The XSS vulnerability is because the module does not sufficiently filter on output. The vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.
Solution: If you use the Entity Reference Tree Widget module for Drupal 8.x or 9.x, upgrade to entity_reference_tree 2.0.2.
The vulnerability was reported by Jeroen Vreuls and fixed by Mingsong (module maintainer) and Jeroen Vreuls. This was coordinated with the help of Chris McCafferty and Damien McKenna of the Drupal Security Team.
Source:
ASK: Drupal Community Needs Your Support
View all →
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.
