Simple Hierarchical Select
Monthly
Stored cross-site scripting in the Simple Hierarchical Select (SHS) module for Drupal 7 (versions 7.x-1.0 through 7.x-1.10) enables authenticated attackers with taxonomy term editing privileges to inject malicious scripts via unsanitized term names. Two distinct code paths are confirmed vulnerable: field formatter output rendered by shs_field_formatter_view and term-tree child data generated by shs_term_get_children, both of which fail to apply proper output escaping before HTML rendering. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the network-accessible attack vector combined with Drupal 7's end-of-life status substantially elevates residual risk for unpatched deployments.
Stored cross-site scripting in the Simple Hierarchical Select (SHS) module for Drupal 7 (versions 7.x-1.0 through 7.x-1.10) enables authenticated attackers with taxonomy term editing privileges to inject malicious scripts via unsanitized term names. Two distinct code paths are confirmed vulnerable: field formatter output rendered by shs_field_formatter_view and term-tree child data generated by shs_term_get_children, both of which fail to apply proper output escaping before HTML rendering. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the network-accessible attack vector combined with Drupal 7's end-of-life status substantially elevates residual risk for unpatched deployments.