Drupal Security TeamDRUPAL-SA-CONTRIB-2014-034SA-CONTRIB-2014-034 - Custom Search - Cross Site Scripting
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
35.3%
The Custom Search module alters the default search box to provide additional search filtering options and control.
Custom Search contains a persistent cross-site scripting (XSS) vulnerability due to the fact that it fails to sanitize filter labels before display.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission βadminister custom search.β
CVE identifier(s) issued
- CVE-2014-7870
Versions affected
- Custom Search 6.x-1.x versions prior to 6.x-1.12.
- Custom Search 7.x-1.x versions prior to 7.x-1.14.
Drupal core is not affected. If you do not use the contributed Custom Search module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Custom Search module for Drupal 6.x, upgrade to Custom Search 6.x-1.12
- If you use the Custom Search module for Drupal 7.x, upgrade to Custom Search 7.x-1.14
Also see the Custom Search project page.
Reported by
Fixed by
- Justin C. Klein Keane
- JΓ©rΓ΄me Danthinne, module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Ben Jeavons of the Drupal Security Team
References
drupal.org/contact
drupal.org/project/custom_search
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/302225
drupal.org/user/91990
drupal.org/writing-secure-code
drupal.org/node/2231531
drupal.org/node/2231533
drupal.org/user/313766
drupal.org/user/36762
twitter.com/drupalsecurity
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
35.3%