Stored cross-site scripting in Autocomplete Deluxe (module for Drupal) - #VU4435
Published: January 11, 2017 / Updated: January 12, 2017
Vulnerability identifier: #VU4435
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sebastian Gilits (sepgil)
Affected software:
Autocomplete Deluxe (module for Drupal)
Autocomplete Deluxe (module for Drupal)
Detailed vulnerability description
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data passed via taxonomy terms. A remote authenticated attacker with privileges to edit taxonomy field can permanently inject arbitrary HTML and script code, and execute it in victim’s browser in security context of vulnerable website, when the victim visits malicious page.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.Remediation
Install the fixed version 7.x-2.2 from Drupal website:
https://www.drupal.org/project/autocomplete_deluxe/releases
https://www.drupal.org/project/autocomplete_deluxe/releases