Drupal 7 Term Reference Tree Module Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Drupal 7 Term Reference Tree module, specifically in versions 7.x-1.x prior to 7.x-1.12. The issue arises in the widget and formatter rendering pipeline, where attacker-controlled token output and term labels are not properly sanitized before being displayed. This allows users with permission to edit taxonomy terms to inject malicious HTML or JavaScript that executes when the content is rendered.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

The vulnerability can be reproduced by creating a Drupal 7 installation and adding a Term Reference Tree Widget field. For Vector A, enable the Token module and inject a script into a term description, which is then rendered unsanitized through the token display template. For Vector B, inject a script into a term label, which executes when the term is rendered as a label in the widget.

Remediation

Users should upgrade to Term Reference Tree Widget version 7.x-1.12. Those on the HeroDevs Never-Ending Support plan can access this patched version immediately.