Project: Search API PagesDate: 2021-December-08Security risk: Critical 16∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross Site ScriptingDescription: This module enables you to create simple search pages based on Search API without the use of Views.
The module doesn’t sufficiently escape all variables provided for custom templates.
This vulnerability is mitigated by the fact that the default template provided by the module is not affected.Solution: Install the latest version:

If you use the Search API Pages module for Drupal 7.x, upgrade to Search API Pages 7.x-1.6
Reported By: 
Duncan Davidson
Fixed By: 
Damien McKenna of the Drupal Security Team
Duncan Davidson
Thomas Seidl
Joris Vercammen
Coordinated By: 
Chris of the Drupal Security Team
Greg Knaddison of the Drupal Security Team

   

Read the original story