[Security-news] Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059
security-news at drupal.org
security-news at drupal.org
Wed Oct 19 20:43:26 UTC 2022
View online: https://www.drupal.org/sa-contrib-2022-059
Project: Search API [1]
Date: 2022-October-19
Security risk: *Moderately critical* 13∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
Vulnerability: Information Disclosure
Description:
This module enables you to build searches using a wide range of features,
data sources and backends.
The module doesn't in all cases correctly detect whether a given search is
active on the current page, leading to potential information disclosure for
some setups.
This vulnerability is mitigated by the fact that only very specific setups
will have this problem and there is no way for an attacker to trigger it.
Solution:
Install the latest version:
* If you use the Search API module for Drupal 9.x/10.x, upgrade to Search
API 8.x-1.27 [3]
Reported By:
* Markus Kalkbrenner [4]
Fixed By:
* Gerhard Killesreiter [5] of the Drupal Security Team
* Joris Vercammen [6]
* Markus Kalkbrenner [7]
* Thomas Seidl [8]
* Damien McKenna [9] of the Drupal Security Team
Coordinated By:
* Michael Hess [10] of the Drupal Security Team
[1] https://www.drupal.org/project/search_api
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/search_api/releases/8.x-1.27
[4] https://www.drupal.org/user/124705
[5] https://www.drupal.org/user/83
[6] https://www.drupal.org/user/2393360
[7] https://www.drupal.org/user/124705
[8] https://www.drupal.org/user/205582
[9] https://www.drupal.org/user/108450
[10] https://www.drupal.org/u/mlhess
More information about the Security-news
mailing list