Simple hierarchical select - Moderately critical - Cross site request forgery - SA-CONTRIB-2019-038

Project: Simple hierarchical selectDate: 2019-March-13Security risk: Moderately critical 10∕25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site request forgeryDescription: Simple hierarchical select defines a new form widget for taxonomy fields to select a term by "browsing" through the vocabularies hierarchy. It also allows users to create new taxonomy terms using its widget directly in the node form.
Version 7.x of Simple hierarchical select doesn't sufficiently checks permission when creating new terms so attackers can create arbitrary taxonomy terms in any vocabularies the victim has access to..
This vulnerability is mitigated by the fact that an attacker must trick a user with permission to create terms to visit a specially prepared web page controlled by the attacker.Solution: Install the latest version:

  • If you use Simple hierarchical select prior to 7.x-1.7 update to 7.x-1.8
  • If you are unable to update, simply deactivate the option to allow creating new terms in the widget settings.

Note that the Drupal 8 version of this module is unaffected.Reported By: 

Fixed By: 

Coordinated By: 

  • Greg Knaddison of the Drupal Security Team
  • Path to article