DRUPAL-CONTRIB-2019-060

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/existing_values_autocomplete_widget/DRUPAL-CONTRIB-2019-060.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2019-060

Published

2019-07-24T17:36:23Z

Modified

2025-12-10T23:33:31.311011Z

Summary

[none]

Details

This module provides an autocomplete widget for text fields that suggests all existing (previously entered) values for that field.

The module doesn't sufficiently check for proper access permission before returning autocomplete results.

This vulnerability is mitigated by the fact that an attacker must know the route to the autocomplete callback controller though this is easily known.

References

https://www.drupal.org/sa-contrib-2019-060

Credits

- David Stinemetze
- - https://www.drupal.org/user/2508346

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/existing_values_autocomplete_widget

Package

Name: drupal/existing_values_autocomplete_widget
Purl: pkg:composer/drupal/existing_values_autocomplete_widget

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.0

Database specific

{
    "constraint": "<1.2.0"
}

Database specific

affected_versions

"<1.2.0"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/existing_values_autocomplete_widget/DRUPAL-CONTRIB-2019-060.json"