[Security-news] Current Search Links - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-091
security-news at drupal.org
security-news at drupal.org
Wed Apr 1 19:10:51 UTC 2015
View online: https://www.drupal.org/node/2463843
* Advisory ID: DRUPAL-SA-CONTRIB-2015-091
* Project: Current Search Links [1] (third-party module)
* Version: 7.x
* Date: 2015-April-01
* Security risk: 15/25 ( Critical)
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
* Vulnerability: Cross Site Scripting
-------- DESCRIPTION
---------------------------------------------------------
Current Search Links module is an extension to the Facet API Current Search
Blocks module. Instead of just showing the current search it turns the
current search keywords into links that you can drop from the search.
The module doesn't sufficiently sanitize the entered search query, thereby
exposing a XSS vulnerability. An attacker could exploit this vulnerability by
getting the victim to visit a specially-crafted URL.
This is mitigated by the fact that only sites with the option "Append the
keywords passed by the user to the list" disabled are affected.
-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in
accordance
with Drupal Security Team processes./
-------- VERSIONS AFFECTED
---------------------------------------------------
* Current Search Links 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Current Search
Links [4] module,
there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the Current Search Links module for Drupal 7.x, upgrade to
Current Search Links 7.x-1.1 [5]
Also see the Current Search Links [6] project page.
-------- REPORTED BY
---------------------------------------------------------
* Sogeti security team
* Martijn de Wit [7]
-------- FIXED BY
------------------------------------------------------------
* Johnny van de Laar [8] the module maintainer
-------- COORDINATED BY
------------------------------------------------------
* Pere Orga [9] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION
----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [10].
Learn more about the Drupal Security team and their policies [11], writing
secure code for Drupal [12], and securing your site [13].
Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [14]
[1] https://www.drupal.org/project/current_search_links
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/current_search_links
[5] https://www.drupal.org/node/2463493
[6] https://www.drupal.org/project/current_search_links
[7] https://www.drupal.org/user/83953
[8] https://www.drupal.org/user/248932
[9] https://www.drupal.org/user/2301194
[10] https://www.drupal.org/contact
[11] https://www.drupal.org/security-team
[12] https://www.drupal.org/writing-secure-code
[13] https://www.drupal.org/security/secure-configuration
[14] https://twitter.com/drupalsecurity
More information about the Security-news
mailing list