2 results (0.001 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments. En el módulo de terceros Search Autocomplete de Drupal, en versiones anteriores a la 7.x-4.8, hay una vulnerabilidad Cross-Site Scripting (XSS). • https://www.drupal.org/sa-contrib-2018-070 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 2.1EPSS: 0%CPEs: 3EXPL: 0

Cross-site scripting (XSS) vulnerability in the Search API Autocomplete module 7.x-1.x before 7.x-1.3 for Drupal, when the search index is configured to use the HTML filter processor, allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the returned suggestions. Vulnerabilidad de XSS en el módulo Search API Autocomplete 7.x-1.x en versiones anteriores a 7.x-1.3 para Drupal, cuando el índice de búsqueda está configurado para utilizar el procesador de filtro HTML, permite a usuarios remotos autenticados con ciertos permisos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados, lo que hace que no se manejen correctamente las sugerencias de retorno. • https://www.drupal.org/node/2553485 https://www.drupal.org/node/2553977 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •