- Chosen module versions prior to 1.x-2.1.3
The chosen module contains a library with known vulnerabilities:
The Chosen JavaScript library for making long, unwieldy select boxes more user friendly. This library did not properly sanitize <code>optgroup</code> labels.
This vulnerability is mitigated by the fact that an attacker must have the ability to enter <code>optgroup</code> labels. This action and would require a contrib or custom solution.
Upgrade your site to use the most recent version of Chosen module. Download available on the Chosen releases page