Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Project:

Search API

Date:

2022-October-19

Security risk:

Moderately critical 13∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon

Vulnerability:

Information Disclosure

Affected versions:

<1.27.0

Description:

This module enables you to build searches using a wide range of features, data sources and backends.

The module doesn't in all cases correctly detect whether a given search is active on the current page, leading to potential information disclosure for some setups.

This vulnerability is mitigated by the fact that only very specific setups will have this problem and there is no way for an attacker to trigger it.

Solution:

Install the latest version:

If you use the Search API module for Drupal 9.x/10.x, upgrade to Search API 8.x-1.27

Reported By:

Markus Kalkbrenner

Fixed By:

Gerhard Killesreiter of the Drupal Security Team
Joris Vercammen
Markus Kalkbrenner
Thomas Seidl
Damien McKenna of the Drupal Security Team

Coordinated By:

Michael Hess of the Drupal Security Team

Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059

Contact and more information

Contributing organizations for this advisory

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community