it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecNots] [Security-news] Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecNots] [Security-news] Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008
- Date: Wed, 12 May 2021 16:50:41 +0000 (UTC)
- Authentication-results: mail02.piratenpartei.de; dkim=none; spf=pass (mail02.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
- List-archive: <http://lists.drupal.org/pipermail/security-news/>
- List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2021-008
Project: Facets [1]
Version: 8.x-1.x-dev
Date: 2021-May-12
Security risk: *Moderately critical* 11∕25
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross site scripting
Description:
This module enables you to add customizable facets on search pages, from core
search or searches provided by Search API.
The module doesn't sufficiently filter all output in certain circumstances.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "administer facets".
Solution:
Install the latest version:
* If you use the Facets module for Drupal 8.x/9.x, upgrade to Facets 8.x-1.8
[3]
Reported By:
* Ide Braakman [4]
Fixed By:
* Markus Kalkbrenner [5]
* Ide Braakman [6]
* Joris Vercammen [7]
Coordinated By:
* Damien McKenna [8] of the Drupal Security Team
[1] https://www.drupal.org/project/facets
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/facets/releases/8.x-1.8
[4] https://www.drupal.org/user/1879760
[5] https://www.drupal.org/user/124705
[6] https://www.drupal.org/user/1879760
[7] https://www.drupal.org/user/2393360
[8] https://www.drupal.org/u/damienmckenna
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecNots] [Security-news] Facets - Moderately critical - Cross site scripting - SA-CONTRIB-2021-008, security-news, 12.05.2021
Archiv bereitgestellt durch MHonArc 2.6.24.