View online: https://www.drupal.org/sa-contrib-2019-030

Project: Facets [1] Version: 8.x-1.x-dev Date: 2019-February-27 Security risk: *Moderately critical* 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross site scripting

Description:  This module enables you to create facet-filters for results of a search query and exposes them as blocks

The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by two factors. First, an attacker must have a way to insert results in the dataset that is exposed as a facet before this can happen. The permission to inject malicious strings depends on the site's search configuration but could be available to any user who can create content in a site. Second, the site must be using the Javascript-based dropdown widget.

Solution:  * Install the latest version Facets 8.x-1.3 [3]

An effective mitigation is to change the widget to use links instead of the dropdown widget.

Reported By:  * Ide Braakman [4]

Fixed By:  * Jimmy Henderickx [5] * Joris Vercammen [6]

Coordinated By:  * Greg Knaddison [7] of the Drupal Security Team

[1] https://www.drupal.org/project/facets [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/facets/releases/8.x-1.3 [4] https://www.drupal.org/user/1879760 [5] https://www.drupal.org/user/462700 [6] https://www.drupal.org/user/2393360 [7] https://www.drupal.org/user/36762