CVE Published: 15/01/2019 |
CVE Updated: 17/09/2024 |
CVE Year: 2018 Source: drupal |
Vendor: Drupal |
Product: 3rd party module - Search Autocomplete Status : PUBLISHED
CVE-2018-7603 Description
In Drupal\'s 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn\'t sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.
CWE-ID: CWE Name: A vulnerability in search auto complete a 3rd party Druapl contributed module. Search Autocomplete allows an attacker to execute javascript code to causing xss. Affected releases are Drupal 3rd party module - Search Autocomplete: versions prior to 7.x-4.8. Source: Drupal
Common Attack Pattern Enumeration and Classification (CAPEC)