View online: https://www.drupal.org/sa-contrib-2023-026
Project: Search Autocomplete [1] Date: 2023-June-28 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting
Affected versions: >=2.0.0 <2.0.3 Description: This module enables you to use complex autocompletion in forms.
The module doesn't sufficiently filter text in the data it exposes, allowing a malicious user to enter specially crafted tags to exploit a Cross Site Scripting (XSS) attack.
This vulnerability is mitigated by the fact that an attacker must have a role which allows them to publish the kind of data used in the autocomplete (for instance create nodes if the tool is used to search nodes, comments if the tool is used to search comments, etc...)
Solution: Install the latest version:
* If you use the search_autocomplete module for Drupal 8.x or 9.x, upgrade to Search Autocomplete 2.0.3 [3]
Reported By: * Mingsong [4]
Fixed By: * Mingsong [5] * Dominique CLAUSE [6] * Greg Knaddison [7] of the Drupal Security Team * Drew Webber [8] of the Drupal Security Team
Coordinated By: * Damien McKenna [9] of the Drupal Security Team * Drew Webber [10] of the Drupal Security Team * Greg Knaddison [11] of the Drupal Security Team
[1] https://www.drupal.org/project/search_autocomplete [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/search_autocomplete/releases/2.0.3 [4] https://www.drupal.org/user/2986445 [5] https://www.drupal.org/user/2986445 [6] https://www.drupal.org/user/801982 [7] https://www.drupal.org/user/36762 [8] https://www.drupal.org/user/255969 [9] https://www.drupal.org/user/108450 [10] https://www.drupal.org/user/255969 [11] https://www.drupal.org/user/36762