Taxonomy Term Reference Tree Widget
Monthly
Stored cross-site scripting in the Drupal 7 Term Reference Tree module (versions 7.x-1.x through 7.x-1.11) exposes two distinct injection vectors in its widget and formatter rendering pipeline, both exploitable by any authenticated user with taxonomy term edit permissions. Vector A triggers when the Token module is enabled and token display templates are configured, allowing attacker-controlled term description output to render unsanitized. Vector B targets the widget itself, where taxonomy term labels are written to form output without sanitization, executing injected scripts in the browsers of users who view any form containing the widget. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low privilege bar and persistent nature of stored XSS make this a meaningful risk in multi-user Drupal 7 deployments.
Stored cross-site scripting in the Drupal 7 Term Reference Tree module (versions 7.x-1.x through 7.x-1.11) exposes two distinct injection vectors in its widget and formatter rendering pipeline, both exploitable by any authenticated user with taxonomy term edit permissions. Vector A triggers when the Token module is enabled and token display templates are configured, allowing attacker-controlled term description output to render unsanitized. Vector B targets the widget itself, where taxonomy term labels are written to form output without sanitization, executing injected scripts in the browsers of users who view any form containing the widget. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low privilege bar and persistent nature of stored XSS make this a meaningful risk in multi-user Drupal 7 deployments.