This module enables you to create facet-filters for results of a search query and exposes them as blocks
The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by two factors. First, an attacker must have a way to insert results in the dataset that is exposed as a facet before this can happen. The permission to inject malicious strings depends on the site's search configuration but could be available to any user who can create content in a site. Second, the site must be using the Javascript-based dropdown widget.
- Install the latest version Facets 8.x-1.3
An effective mitigation is to change the widget to use links instead of the dropdown widget.
- Greg Knaddison of the Drupal Security Team