DRUPAL-CONTRIB-2022-026

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_reference_tree/DRUPAL-CONTRIB-2022-026.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2022-026

Published

2022-02-23T17:10:52Z

Modified

2025-12-10T23:31:29.733718Z

Summary

[none]

Details

This module provides an entity relationship hierarchy tree widget for an entity reference field.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.

References

https://www.drupal.org/sa-contrib-2022-026

Credits

- Jeroen Vreuls
- - https://www.drupal.org/user/2700643

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/entity_reference_tree

Package

Name: drupal/entity_reference_tree
Purl: pkg:composer/drupal/entity_reference_tree

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.2

Database specific

{
    "constraint": "<2.0.2"
}

Database specific

affected_versions

"<2.0.2"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_reference_tree/DRUPAL-CONTRIB-2022-026.json"