[Security-news] Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-026

[security-news at drupal.org]

View online: https://www.drupal.org/sa-contrib-2023-026

Project: Search Autocomplete [1]
Date: 2023-June-28
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Affected versions: >=2.0.0 <2.0.3
Description: 
This module enables you to use complex autocompletion in forms.

The module doesn't sufficiently filter text in the data it exposes, allowing
a malicious user to enter specially crafted tags to exploit a Cross Site
Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role
which allows them to publish the kind of data used in the autocomplete (for
instance create nodes if the tool is used to search nodes, comments if the
tool is used to search comments, etc...)

Solution: 
Install the latest version:

   * If you use the search_autocomplete module for Drupal 8.x or 9.x, upgrade
     to Search Autocomplete 2.0.3 [3]

Reported By: 
   * Mingsong  [4]

Fixed By: 
   * Mingsong  [5]
   * Dominique CLAUSE [6]
   * Greg Knaddison [7] of the Drupal Security Team
   * Drew Webber [8] of the Drupal Security Team

Coordinated By: 
   * Damien McKenna [9] of the Drupal Security Team
   * Drew Webber [10] of the Drupal Security Team
   * Greg Knaddison [11] of the Drupal Security Team


[1] https://www.drupal.org/project/search_autocomplete
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_autocomplete/releases/2.0.3
[4] https://www.drupal.org/user/2986445
[5] https://www.drupal.org/user/2986445
[6] https://www.drupal.org/user/801982
[7] https://www.drupal.org/user/36762
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/108450
[10] https://www.drupal.org/user/255969
[11] https://www.drupal.org/user/36762