Search Autocomplete
CVE-2018-7603
6.1MEDIUM
Key Information
- Vendor
- Drupal
- Status
- 3rd Party Module - Search Autocomplete
- Vendor
- CVE Published:
- 15 January 2019
Summary
In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.
Affected Version(s)
3rd party module - Search Autocomplete < 7.x-4.8
CVSS V3.1
Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published.
Vulnerability Reserved.
Collectors
NVD DatabaseMitre Database
Credit
Reported By: Simon Kapadia Fixed By: Dominique CLAUSE