Search Autocomplete - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-070

Project: Search AutocompleteDate: 2018-October-17Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingCVE IDs: CVE-2018-7603Description: This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc..).
The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.Solution: Install the latest version:

Also see the Search Autocomplete project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article