• Advisory ID: DRUPAL-SA-CONTRIB-2015-091
• Project: Current Search Links (third-party module)
• Version: 7.x
• Date: 2015-April-01
• Security risk: 15/25 ( Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default
• Vulnerability: Cross Site Scripting

Description

Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search.

The module doesn’t sufficiently sanitize the entered search query, thereby exposing a XSS vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.

This is mitigated by the fact that only sites with the option “Append the keywords passed by the user to the list” disabled are affected.

CVE identifier(s) issued

• A CVE identifier will be requested, and added upon issuance, in accordance
  with Drupal Security Team processes.

Versions affected

• Current Search Links 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Current Search Links module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Current Search Links module for Drupal 7.x, upgrade to Current Search Links 7.x-1.1

Also see the Current Search Links project page.

Reported by

• Sogeti security team
• Martijn de Wit

Fixed by

• Johnny van de Laar the module maintainer

Coordinated by

• Pere Orga of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity