DRUPAL-CONTRIB-2023-026

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/search_autocomplete/DRUPAL-CONTRIB-2023-026.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2023-026

Published

2023-06-28T17:11:07Z

Modified

2025-12-10T23:31:21.563365Z

Summary

[none]

Details

This module enables you to use complex autocompletion in forms.

The module doesn't sufficiently filter text in the data it exposes, allowing a malicious user to enter specially crafted tags to exploit a Cross Site Scripting (XSS) attack.

This vulnerability is mitigated by the fact that an attacker must have a role which allows them to publish the kind of data used in the autocomplete (for instance create nodes if the tool is used to search nodes, comments if the tool is used to search comments, etc...)

References

https://www.drupal.org/sa-contrib-2023-026

Credits

- Mingsong
- - https://www.drupal.org/user/2986445

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/search_autocomplete

Package

Name: drupal/search_autocomplete
Purl: pkg:composer/drupal/search_autocomplete

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.0.3

Database specific

{
    "constraint": "<2.0.3"
}

Database specific

affected_versions

"<2.0.3"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/search_autocomplete/DRUPAL-CONTRIB-2023-026.json"