Cross-site scripting vulnerability in Drupal Custom Search module
CVE-2014-7870

Currently unrated

Key Information:

Vendor: Drupal
Status: Custom Search Module
Vendor: CVE Published:; 6 October 2014

What is CVE-2014-7870?

A cross-site scripting (XSS) vulnerability exists in Drupal's Custom Search module that allows remote authenticated users with the 'administer custom search' permission to inject arbitrary web scripts or HTML code. This can be done through the 'Label text' field found in the configuration settings for custom search results. The flaw affects specific versions prior to 6.x-1.12 and 7.x-1.14, which may expose vulnerable sites to potential exploitation, leading to unauthorized actions taken on behalf of legitimate users.

References

https://www.drupal.org/node/2231531

x_refsource_CONFIRM

https://www.drupal.org/node/2231665

x_refsource_MISC

http://seclists.org/fulldisclosure/2014/Apr/41

mailing-listx_refsource_FULLDISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Oct 6, 2014