The module provides a field widget for selecting taxonomy terms in a hierarchical fashion.
The module doesn't sanitize user input in certain cases, leading to a possible Cross-Site-Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit taxonomy terms to which the widget may apply.
Install the latest version:
- If you use the cshs module for Drupal 8 or 9, upgrade to Client-side Hierarchical Select 8.x-3.5.
- Damien McKenna of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team