CVE-2018-7603 – Search Autocomplete
https://notcve.org/view.php?id=CVE-2018-7603
In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments. En el módulo de terceros Search Autocomplete de Drupal, en versiones anteriores a la 7.x-4.8, hay una vulnerabilidad Cross-Site Scripting (XSS). • https://www.drupal.org/sa-contrib-2018-070 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-1638
https://notcve.org/view.php?id=CVE-2012-1638
SQL injection vulnerability in the Search Autocomplete module before 7.x-2.1 for Drupal allows remote authenticated users with the "use search_autocomplete" permission to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el módulo Search Autocomplete anterior a la v7.x-2.1 para Drupal, permite a usuarios remotos autenticados con los permisos para usar "search_autocomplete", ejecutar comandos SQL de su elección a través de vectores no especificados. • http://drupal.org/node/1410674 http://drupal.org/node/1416612 http://drupalcode.org/project/search_autocomplete.git/commit/589e8f6 http://secunia.com/advisories/47731 http://www.openwall.com/lists/oss-security/2012/04/07/1 http://www.securityfocus.com/bid/51667 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •