Cross Site Scripting (XSS) Vulnerability in Drupal's Search Autocomplete Module

CVE-2018-7603 · MEDIUM Severity

AV:N/AC:M/AU:N/C:N/I:P/A:N

In Drupal's 3rd party module search auto complete prior to versions 7.x-4.8 there is a Cross Site Scripting vulnerability. This Search Autocomplete module enables you to autocomplete textfield using data from your website (nodes, comments, etc.). The module doesn't sufficiently filter user-entered text among the autocompletion items leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability can be exploited by any user allowed to create one of the autocompletion item, for instance, nodes, users, comments.

Learn more about our Web App Pen Testing.