Port Cross-site Scripting - Autocomplete system from SA-CORE-2015-003 to Drupal 8

Created on 19 August 2015, over 9 years ago
Updated 20 January 2023, almost 2 years ago

See: https://www.drupal.org/SA-CORE-2015-003
http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=731dfacab8bf39918c135...

A cross-site scripting vulnerability was found in the autocomplete functionality of forms. The requested URL is not sufficiently sanitized.

This vulnerability is mitigated by the fact that the malicious user must be allowed to upload files.

Credit for the D6/D7 version of this patch (the security release):

effulgentsia, Pere Orga, benjy, tim.plunkett, larowlan, pwolanin, David_Rothstein
📌 Task
Status

Needs work

Version

9.5

Component
Javascript 

Last updated 4 days ago

Created by

🇨🇦Canada webchick Vancouver 🇨🇦

Live updates comments and jobs are added and updated live.
  • Security Advisory follow-up

    This tag is to be applied to issues where an official security release has been made, but the fix needs to be ported to the development version of the code.

  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

No activities found.

Production build 0.71.5 2024