DRUPAL-CONTRIB-2021-031

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cshs/DRUPAL-CONTRIB-2021-031.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2021-031

Published

2021-09-22T16:49:24Z

Modified

2025-12-10T23:33:47.976826Z

Summary

[none]

Details

The module provides a field widget for selecting taxonomy terms in a hierarchical fashion.

The module doesn't sanitize user input in certain cases, leading to a possible Cross-Site-Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit taxonomy terms to which the widget may apply.

References

https://www.drupal.org/sa-contrib-2021-031

Credits

- Patrick Fey
- - https://www.drupal.org/user/998680

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/cshs

Package

Name: drupal/cshs
Purl: pkg:composer/drupal/cshs

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

3.5.0

Database specific

{
    "constraint": "<3.5.0"
}

Database specific

affected_versions

"<3.5.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/cshs/DRUPAL-CONTRIB-2021-031.json"