SA-CONTRIB-2012-107 - Search autocomplete - Access bypass

This module allows you to add autocomplete functionality to virtually any fields of a Drupal site.
The module doesn’t sufficiently protect access to the module admin page. This vulnerability is mitigated by the fact that the user can only access the page, disable an autocompletion or change priority order.

CVE: CVE-2012-4471

Versions affected

• Search Autocomplete 7.x-2.x versions prior to 7.x-2.4.

Drupal core is not affected. If you do not use the contributed Search Autocomplete module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Search Autocomplete module for Drupal 6.x, upgrade to Search Autocomplete 7.x-2.4

Also see the Search Autocomplete project page.

Reported by

• Reuben Turk (nick: rooby)

Fixed by

• Reuben Turk the module maintainer
• Dominique CLAUSE the module maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Chris Hales of the Drupal Security Team