Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046 - Security-news

8 Dec 2021


      View online: https://www.drupal.org/sa-contrib-2021-046
Project: Search API Pages [1]
Date: 2021-December-08
Security risk: *Critical* 16∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Description: 
This module enables you to create simple search pages based on Search API
without the use of Views.
The module doesn’t sufficiently escape all variables provided for custom
templates.
This vulnerability is mitigated by the fact that the default template
provided by the module is not affected.
Solution: 
Install the latest version:
* If you use the Search API Pages module for Drupal 7.x, upgrade to Search
     API Pages 7.x-1.6 [3]
Reported By: 
   * Duncan Davidson [4]
Fixed By: 
   * Damien McKenna [5] of the Drupal Security Team
   * Duncan Davidson [6]
   * Thomas Seidl [7]
   * Joris Vercammen [8]
Coordinated By: 
   * Chris [9] of the Drupal Security Team
   * Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/search_api_page
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_api_page/releases/7.x-1.6
[4] https://www.drupal.org/user/215978
[5] https://www.drupal.org/user/108450
[6] https://www.drupal.org/user/215978
[7] https://www.drupal.org/user/205582
[8] https://www.drupal.org/user/2393360
[9] https://www.drupal.org/user/1850070
[10] https://www.drupal.org/user/36762