Drupal Security TeamDRUPAL-SA-CONTRIB-2012-013SA-CONTRIB-2012-013 - Search Autocomplete - SQL Injection
6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
66.0%
CVE: CVE-2012-1638
The Search Autocomplete module allows you to add autocomplete functionality to the search fields of a Drupal site.
Search Autocomplete does not properly use Drupal’s database API, making it possible for a malicious user to carryout SQL injection on the site. This vulnerability is mitigated by the fact that users must have a role with permission “use search_autocomplete” to exploit.
Versions affected
- Search Autocomplete versions prior to 7.x-2.1.
Drupal core is not affected. If you do not use the contributed Search Autocomplete module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Search Autocomplete module for Drupal 7.x, upgrade to Search Autocomplete 7.x-2.1
See the Search Autocomplete project page for more information.
Reported by
Fixed by
- Dominique Clause (Miroslav Talenberg) the module maintainer
- Miguel Hermo (serans)
Coordinated by
- Ben Jeavons of the Drupal Security Team
Related
6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
66.0%