Current Search Links - Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-091

Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search.

The module doesn’t sufficiently sanitize the entered search query, thereby exposing a XSS vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.

This is mitigated by the fact that only sites with the option “Append the keywords passed by the user to the list” disabled are affected.

CVE identifier(s) issued

• CVE-2015-4388

Versions affected

• Current Search Links 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Current Search Links module,
there is nothing you need to do.

Solution

Install the latest version:

• If you use the Current Search Links module for Drupal 7.x, upgrade to Current Search Links 7.x-1.1

Also see the Current Search Links project page.

Reported by

• Sogeti security team
• Martijn de Wit

Fixed by

• Johnny van de Laar the module maintainer

Coordinated by

• Pere Orga of the Drupal Security Team