Drupal 7 Simple Hierarchical Select Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Simple Hierarchical Select (SHS) module for Drupal 7, specifically in versions 7.x-1.0 prior to 7.x-1.12. The issue arises from improper output escaping of term-derived text, allowing malicious taxonomy term names to be rendered unsafely depending on the output context. This vulnerability affects the SHS field formatter output and the term-tree child-term data generation, where unsanitized HTML content in term names could be executed in a user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts could be executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, first ensure that the SHS module is enabled and that it is configured to use the 'Tags' vocabulary on the 'Article' content type. Add a new term with an XSS payload in the name, such as a script tag including JavaScript code. When this term is selected using the SHS widget and the node is saved, the malicious script will execute due to the lack of proper sanitization in the field formatter. This vulnerability can also be reproduced by adding an XSS payload to a term name and then loading that term's children via an AJAX request, which will return the unsanitized term name and execute the script in the browser.

Remediation

Users should upgrade to Simple Hierarchical Select version 7.x-1.12 or later. HeroDevs customers can access the patched version immediately.