Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-070

Project:

Date:

2018-October-17

Security risk:

Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross Site Scripting

CVE IDs:

CVE-2018-7603

Description:

This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc..).

The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.

Solution:

Install the latest version:

If you use the Search Autocomplete module for Drupal 7.x, upgrade to Search Autocomplete 7.x-4.8

Also see the Search Autocomplete project page.

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.