This module provides an entity relationship hierarchy tree widget for an entity reference field.
The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to modify an entity that is the reference to a field.
Install the latest version:
- If you use the Entity Reference Tree Widget module for Drupal 8.x or 9.x, upgrade to entity_reference_tree 2.0.2
- Chris McCafferty of the Drupal Security Team
- Damien McKenna of the Drupal Security Team