{"id":"DRUPAL-CONTRIB-2018-008","details":"This module enables you to show referenced entities in tabs.\n\nThe module doesn't sufficiently sanitize the body fields of the referenced entities when it prints them to the tabs.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the permission create/edit content of the content type that is referenced.","modified":"2025-12-10T23:33:48.670110Z","published":"2018-02-07T18:45:12Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2018-008"}],"affected":[{"package":{"name":"drupal/entity_ref_tab_formatter","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/entity_ref_tab_formatter"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.0"}],"database_specific":{"constraint":"\u003c1.3.0"}}],"database_specific":{"source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/entity_ref_tab_formatter/DRUPAL-CONTRIB-2018-008.json","affected_versions":"\u003c1.3.0"}}],"schema_version":"1.7.3","credits":[{"name":"Tatar Balazs Janos","contact":["https://www.drupal.org/u/tatarbj"]}]}