Vulnerability Description
In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Search Autocomplete Project | Search Autocomplete | < 7.x-4.8 |
Related Weaknesses (CWE)
References
- https://www.drupal.org/sa-contrib-2018-070PatchVendor Advisory
- https://www.drupal.org/sa-contrib-2018-070PatchVendor Advisory
FAQ
What is CVE-2018-7603?
CVE-2018-7603 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using d...
How severe is CVE-2018-7603?
CVE-2018-7603 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-7603?
Check the references section above for vendor advisories and patch information. Affected products include: Search Autocomplete Project Search Autocomplete.