Current Search Links – Critical – Cross Site Scripting (XSS) – SA-CONTRIB-2015-091

Description

Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search.

The module doesn’t sufficiently sanitize the entered search query, thereby exposing a XSS vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.

This is mitigated by the fact that only sites with the option “Append the keywords passed by the user to the list” disabled are affected.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.

Versions affected

  • Current Search Links 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Current Search Links module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Current Search Links project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 

Leave a Reply