[SECURITY-L] [Security-news] Search API Pages - Critical - Cross Site Scripting - SA-CONTRIB-2021-046
CSIRT Unicamp
security em unicamp.br
Quinta Dezembro 9 09:08:27 -03 2021
View online: https://www.drupal.org/sa-contrib-2021-046
Project: Search API Pages [1]
Date: 2021-December-08
Security risk: *Critical* 16∕25
AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Description:
This module enables you to create simple search pages based on Search API
without the use of Views.
The module doesn’t sufficiently escape all variables provided for custom
templates.
This vulnerability is mitigated by the fact that the default template
provided by the module is not affected.
Solution:
Install the latest version:
* If you use the Search API Pages module for Drupal 7.x, upgrade to
Search
API Pages 7.x-1.6 [3]
Reported By:
* Duncan Davidson [4]
Fixed By:
* Damien McKenna [5] of the Drupal Security Team
* Duncan Davidson [6]
* Thomas Seidl [7]
* Joris Vercammen [8]
===
Computer Security Incident Response Team - CSIRT
Universidade Estadual de Campinas - Unicamp
Centro de Computacao - CCUEC
GnuPG Public Key: http://www.security.unicamp.br/security.asc [^]
Contato: +55 19 3521-2289 ou INOC-DBA: 1251*830
-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: <http://www.listas.unicamp.br/pipermail/security-l/attachments/20211209/1ac3ed4e/attachment.html>
Mais detalhes sobre a lista de discussão SECURITY-L