CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
EPSS
Percentile
99.7%
Current Search Links module is an extension to the Facet API Current Search Blocks module. Instead of just showing the current search it turns the current search keywords into links that you can drop from the search.
The module doesn’t sufficiently sanitize the entered search query, thereby exposing a XSS vulnerability. An attacker could exploit this vulnerability by getting the victim to visit a specially-crafted URL.
This is mitigated by the fact that only sites with the option “Append the keywords passed by the user to the list” disabled are affected.
Drupal core is not affected. If you do not use the contributed Current Search Links module,
there is nothing you need to do.
Install the latest version:
Also see the Current Search Links project page.
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/current_search_links
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/2301194
www.drupal.org/user/248932
www.drupal.org/user/83953
www.drupal.org/writing-secure-code