Search API Autocomplete Module up to 7.x-1.2 on Drupal cross site scripting : 9/1/2015 5:08:59 AM

Group Chat & IM for Teams Communicate with co-workers in real time. Used by Netflix, Dropbox & Salesforce. $0/unlimited users. Get started >> From our sponsors

 

 

Vulnerability Advisories

Vulnerabilities of scip VulDB

Search API Autocomplete Module up to 7.x-1.2 on Drupal cross site scripting
8/30/2015 7:00:00 PM

General

scipID: 77513
Affected: Search API Autocomplete Module up to 7.x-1.2
Published: 08/31/2015
Risk: problematic

Created: 09/01/2015
Entry: 65.8% complete

Summary

A vulnerability was found in Search API Autocomplete Module up to 7.x-1.2 on Drupal and classified as problematic. This issue affects an unknown function. The manipulation with an unknown input leads to a cross site scripting vulnerability. Impacted is integrity. The summary by CVE is:

Cross-site scripting (XSS) vulnerability in the Search API Autocomplete module 7.x-1.x before 7.x-1.3 for Drupal, when the search index is configured to use the HTML filter processor, allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the returned suggestions.

The weakness was presented 08/31/2015. The identification of this vulnerability is CVE-2015-6752. The exploitation is known to be easy. The attack may be initiated remotely. Neither technical details nor an exploit are publicly available.

Upgrading to version 7.x-1.3 eliminates this vulnerability.

CVSS

Base Score: 4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N) [?]
Temp Score: 3.5 (CVSS2#E:ND/RL:OF/RC:ND) [?]

CPE

• cpe:/a:search_api_autocomplete_module:search_api_autocomplete_module:7.x-1.0
• cpe:/a:search_api_autocomplete_module:search_api_autocomplete_module:7.x-1.1
• cpe:/a:search_api_autocomplete_module:search_api_autocomplete_module:7.x-1.2

Exploiting

Class: Cross site scripting
Local: No
Remote: Yes

Availability: No

Countermeasures

Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found

Upgrade: Search API Autocomplete Module 7.x-1.3

Timeline

08/31/2015 | Advisory disclosed
09/01/2015 | VulDB entry created
09/01/2015 | VulDB entry updated

Sources

CVE: CVE-2015-6752 (mitre.org) (nvd.nist.org) (cvedetails.com)

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions