Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026


Chronologisch Thread  
    < Chronologisch >       < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026
  • Date: Wed, 28 Jun 2023 17:51:48 +0000 (UTC)
  • Authentication-results: mail.piratenpartei.de; dkim=none; spf=pass (mail.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 140.211.166.137 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org; dmarc=pass (policy=none) header.from=drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 246C841F1D
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 1D8ED41E66
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 3955E82B94
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7B2F882B69
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2023-026

Project: Search Autocomplete [1]
Date: 2023-June-28
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Affected versions: >=2.0.0 <2.0.3
Description: 
This module enables you to use complex autocompletion in forms.

The module doesn't sufficiently filter text in the data it exposes, allowing
a malicious user to enter specially crafted tags to exploit a Cross Site
Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role
which allows them to publish the kind of data used in the autocomplete (for
instance create nodes if the tool is used to search nodes, comments if the
tool is used to search comments, etc...)

Solution: 
Install the latest version:

* If you use the search_autocomplete module for Drupal 8.x or 9.x, upgrade
to Search Autocomplete 2.0.3 [3]

Reported By: 
* Mingsong [4]

Fixed By: 
* Mingsong [5]
* Dominique CLAUSE [6]
* Greg Knaddison [7] of the Drupal Security Team
* Drew Webber [8] of the Drupal Security Team

Coordinated By: 
* Damien McKenna [9] of the Drupal Security Team
* Drew Webber [10] of the Drupal Security Team
* Greg Knaddison [11] of the Drupal Security Team


[1] https://www.drupal.org/project/search_autocomplete
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_autocomplete/releases/2.0.3
[4] https://www.drupal.org/user/2986445
[5] https://www.drupal.org/user/2986445
[6] https://www.drupal.org/user/801982
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/108450
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026, security-news, 28.06.2023

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang