CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
81.2%
This module provides functionality for AJAX based auto-completion of fields in the Biblio node type (provided by the Biblio module) using previously entered values and third party services.
The submodule “Biblio self autocomplete” for previously entered values doesn’t sufficiently sanitize user input as it is used in a database query.
Additionally, the AJAX autocompletion callback itself was not properly secured, thus potentially allowing any visitor access to the data, including the anonymous user.
Drupal core is not affected. If you do not use the contributed Biblio Autocomplete module,
there is nothing you need to do.
Install the latest version:
Additionally there is a new permission “access biblio autocomplete” for accessing the search. You need to give this permission to users with write permissions on Biblio nodes.
Also see the Biblio Autocomplete project page.
drupal.org/contact
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/writing-secure-code
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5249
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5250
drupal.org/user/218368
www.drupal.org/project/biblio_autocomplete
www.drupal.org/u/damienmckenna
www.drupal.org/u/dstol