- Advisory ID: SA-CONTRIB-2012-107
- Project: Search Autocomplete (third-party module)
- Version: 7.x
- Date: 2012-July-11
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
This module allows you to add autocomplete functionality to virtually any fields of a Drupal site.
The module doesn't sufficiently protect access to the module admin page. This vulnerability is mitigated by the fact that the user can only access the page, disable an autocompletion or change priority order.
CVE: CVE-2012-4471
Versions affected
- Search Autocomplete 7.x-2.x versions prior to 7.x-2.4.
Drupal core is not affected. If you do not use the contributed Search Autocomplete module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Search Autocomplete module for Drupal 6.x, upgrade to Search Autocomplete 7.x-2.4
Also see the Search Autocomplete project page.
Reported by
- Reuben Turk (nick: rooby)
Fixed by
- Reuben Turk the module maintainer
- Dominique CLAUSE the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Chris Hales of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
