Moderately Critical XSS Vulnerability in Entity Reference Tree Widget

Staff Reporter

The Drupal Security Team announced on February 23^rd2022, a moderately critical Cross-Site Scripting (XSS) vulnerability in the Entity Reference Tree Widget module SA-CONTRIB-2022-026. The vulnerability is classified as moderately critical because of the 12∕25 [AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All] Status

The Entity Reference Tree Widget module provides an entity-relationship hierarchy tree widget for an entity reference field. The module provides a combination of an autocomplete text field and a tree view for the reference field as one widget. This module uses the JsTree JavaScript library to render a hierarchy tree of those entities.

The XSS vulnerability is because the module does not sufficiently filter on output. The vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.

Solution: If you use the Entity Reference Tree Widget module for Drupal 8.x or 9.x, upgrade to entity_reference_tree 2.0.2.

The vulnerability was reported by Jeroen Vreuls and fixed by Mingsong (module maintainer) and Jeroen Vreuls. This was coordinated with the help of Chris McCafferty and Damien McKenna of the Drupal Security Team.

Source:

Click here to follow us on LinkedIn

Comment

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

XSS