Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-February-27
Vulnerability:
Cross site scripting
Affected versions:
<1.3.0
Description:
This module enables you to create facet-filters for results of a search query and exposes them as blocks
The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by two factors. First, an attacker must have a way to insert results in the dataset that is exposed as a facet before this can happen. The permission to inject malicious strings depends on the site's search configuration but could be available to any user who can create content in a site. Second, the site must be using the Javascript-based dropdown widget.
Solution:
- Install the latest version Facets 8.x-1.3
An effective mitigation is to change the widget to use links instead of the dropdown widget.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
