Search API Autocomplete Module up to 7.x-1.2 on Drupal cross site scripting : 9/1/2015 5:08:59 AM
Communicate with co-workers in real time. Used by Netflix, Dropbox & Salesforce. $0/unlimited users. Get started >> From our sponsors |
Vulnerability Advisories |
Vulnerabilities of scip VulDB |
Search API Autocomplete Module up to 7.x-1.2 on Drupal cross site scripting
8/30/2015 7:00:00 PM
General
scipID: 77513
Affected: Search API Autocomplete Module up to 7.x-1.2
Published: 08/31/2015
Risk: problematic
Created: 09/01/2015
Entry: 65.8% complete
Summary
A vulnerability was found in Search API Autocomplete Module up to 7.x-1.2 on Drupal and classified as problematic. This issue affects an unknown function. The manipulation with an unknown input leads to a cross site scripting vulnerability. Impacted is integrity. The summary by CVE is:
Cross-site scripting (XSS) vulnerability in the Search API Autocomplete module 7.x-1.x before 7.x-1.3 for Drupal, when the search index is configured to use the HTML filter processor, allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the returned suggestions.
The weakness was presented 08/31/2015. The identification of this vulnerability is CVE-2015-6752. The exploitation is known to be easy. The attack may be initiated remotely. Neither technical details nor an exploit are publicly available.
Upgrading to version 7.x-1.3 eliminates this vulnerability.CVSS
Base Score: 4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N) [?]
Temp Score: 3.5 (CVSS2#E:ND/RL:OF/RC:ND) [?]
CPE
- cpe:/a:search_api_autocomplete_module:search_api_autocomplete_module:7.x-1.0
- cpe:/a:search_api_autocomplete_module:search_api_autocomplete_module:7.x-1.1
- cpe:/a:search_api_autocomplete_module:search_api_autocomplete_module:7.x-1.2
Exploiting
Class: Cross site scripting
Local: No
Remote: Yes
Availability: No
Countermeasures
Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found
Upgrade: Search API Autocomplete Module 7.x-1.3
Timeline
08/31/2015 | Advisory disclosed
09/01/2015 | VulDB entry created
09/01/2015 | VulDB entry updated
Sources
CVE: CVE-2015-6752 (mitre.org) (nvd.nist.org) (cvedetails.com)
You are receiving this email because you subscribed to this feed at feedmyinbox.com
If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions