[Security-news] Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046
security-news at drupal.org
security-news at drupal.org
Wed Dec 8 18:29:09 UTC 2021
View online: https://www.drupal.org/sa-contrib-2021-046
Project: Search API Pages [1]
Date: 2021-December-08
Security risk: *Critical* 16∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Description:
This module enables you to create simple search pages based on Search API
without the use of Views.
The module doesn’t sufficiently escape all variables provided for custom
templates.
This vulnerability is mitigated by the fact that the default template
provided by the module is not affected.
Solution:
Install the latest version:
* If you use the Search API Pages module for Drupal 7.x, upgrade to Search
API Pages 7.x-1.6 [3]
Reported By:
* Duncan Davidson [4]
Fixed By:
* Damien McKenna [5] of the Drupal Security Team
* Duncan Davidson [6]
* Thomas Seidl [7]
* Joris Vercammen [8]
Coordinated By:
* Chris [9] of the Drupal Security Team
* Greg Knaddison [10] of the Drupal Security Team
[1] https://www.drupal.org/project/search_api_page
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_api_page/releases/7.x-1.6
[4] https://www.drupal.org/user/215978
[5] https://www.drupal.org/user/108450
[6] https://www.drupal.org/user/215978
[7] https://www.drupal.org/user/205582
[8] https://www.drupal.org/user/2393360
[9] https://www.drupal.org/user/1850070
[10] https://www.drupal.org/user/36762
More information about the Security-news
mailing list