[IT-SecNots] [Security-news] Search API Solr Search - Moderately critical - Access bypass - SA-CONTRIB-2018-065

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-065

Project: Search API Solr Search [1]
Version: 7.x-1.13
Date: 2018-October-10
Security risk: *Moderately critical* 10∕25
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Access bypass

Description: 
This module provides support for creating searches using the Apache Solr
search engine and the Search API Drupal module.

The module doesn't sufficiently take the searched fulltext fields into
account when creating a search excerpt. This can, in specific cases, lead to
confidential data being leaked as part of the search excerpt.

Solution: 
Install the latest version:

  * If you use the Search API Solr Search module for Drupal 7.x, upgrade to
    Search API Solr Search 7.x-1.14 [3]

Also see the Search API Solr Search [4] project page.

Reported By: 
  * Ronino  [5]

Fixed By: 
  * Thomas Seidl  [6]
  * Markus Kalkbrenner  [7]
  * Ronino  [8]

Coordinated By: 
  * Michael Hess [9] of the Drupal Security Team
  * Greg Knaddison [10] of the Drupal Security Team


[1] https://www.drupal.org/project/search_api_solr
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_api_solr/releases/7.x-1.14
[4] https://www.drupal.org/project/search_api_solr
[5] https://www.drupal.org/user/645948
[6] https://www.drupal.org/user/205582
[7] https://www.drupal.org/user/124705
[8] https://www.drupal.org/user/645948
[9] https://www.drupal.org/u/mlhess
[10] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news