Client-side Hierarchical Select - Moderately critical - Cross-site scripting - SA-CONTRIB-2021-031

Project: Client-side Hierarchical Select
Date: 2021-September-22
Security risk: Moderately critical 13∕25
Vulnerability: Cross-site scripting

Description

The module provides a field widget for selecting taxonomy terms in a hierarchical fashion.

The module doesn't sanitize user input in certain cases, leading to a possible Cross-Site-Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit taxonomy terms to which the widget may apply.

Solution

Install the latest version:

If you use the cshs module for Drupal 8 or 9, upgrade to Client-side Hierarchical Select 8.x-3.5.