[IT-SecNots] [Security-news] Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2021-046

Project: Search API Pages [1]
Date: 2021-December-08
Security risk: *Critical* 16∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Description: 
This module enables you to create simple search pages based on Search API
without the use of Views.

The module doesn’t sufficiently escape all variables provided for custom
templates.

This vulnerability is mitigated by the fact that the default template
provided by the module is not affected.

Solution: 
Install the latest version:

  * If you use the Search API Pages module for Drupal 7.x, upgrade to Search
    API Pages 7.x-1.6 [3]

Reported By: 
  * Duncan Davidson [4]

Fixed By: 
  * Damien McKenna [5] of the Drupal Security Team
  * Duncan Davidson [6]
  * Thomas Seidl [7]
  * Joris Vercammen [8]

Coordinated By: 
  * Chris [9] of the Drupal Security Team
  * Greg Knaddison [10] of the Drupal Security Team


[1] https://www.drupal.org/project/search_api_page
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_api_page/releases/7.x-1.6
[4] https://www.drupal.org/user/215978
[5] https://www.drupal.org/user/108450
[6] https://www.drupal.org/user/215978
[7] https://www.drupal.org/user/205582
[8] https://www.drupal.org/user/2393360
[9] https://www.drupal.org/user/1850070
[10] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news