DRUPAL-CONTRIB-2019-030

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/facets/DRUPAL-CONTRIB-2019-030.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2019-030

Published

2019-02-27T17:28:36Z

Modified

2025-12-10T23:33:32.673430Z

Summary

[none]

Details

This module enables you to create facet-filters for results of a search query and exposes them as blocks

The module doesn't sufficiently escape HTML under the scenario leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by two factors. First, an attacker must have a way to insert results in the dataset that is exposed as a facet before this can happen. The permission to inject malicious strings depends on the site's search configuration but could be available to any user who can create content in a site. Second, the site must be using the Javascript-based dropdown widget.

References

https://www.drupal.org/sa-contrib-2019-030

Credits

- Ide Braakman
- - https://www.drupal.org/user/1879760

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/facets

Package

Name: drupal/facets
Purl: pkg:composer/drupal/facets

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.3.0

Database specific

{
    "constraint": "<1.3.0"
}

Database specific

affected_versions

"<1.3.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/facets/DRUPAL-CONTRIB-2019-030.json"