// For flags

CVE-2018-7603

Search Autocomplete

Severity Score

6.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.

En el módulo de terceros Search Autocomplete de Drupal, en versiones anteriores a la 7.x-4.8, hay una vulnerabilidad Cross-Site Scripting (XSS). Este módulo permite autocompletar campos de texto utilizando datos de un sitio web (nodos, comentarios, etc.). El módulo no filtra totalmente el texto introducido por el usuario de los ítems de autocompletado, lo que conduce a una vulnerabilidad Cross-Site Scripting (XSS). Esta vulnerabilidad puede ser explotada por cualquier usuario a l que se le permita crear uno de los ítems de autocompletado, como nodos, usuarios o comentarios.

*Credits: Reported By: Simon Kapadia Fixed By: Dominique CLAUSE
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-03-01 CVE Reserved
  • 2019-01-15 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
https://www.drupal.org/sa-contrib-2018-070 2023-11-07
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Search Autocomplete Project
Search vendor "Search Autocomplete Project"
 Search Autocomplete
Search vendor "Search Autocomplete Project" for product "Search Autocomplete"
 < 7.x-4.8
Search vendor "Search Autocomplete Project" for product "Search Autocomplete" and version " < 7.x-4.8"
drupal
Affected