CVE-2014-7870

Drupal Custom Search Module 6.x-1.x < 6.x-1.12 and 7.x-1.x < 7.x-1.14 - Cross-Site Scripting

Title source: llm
STIX 2.1

Description

Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.12 and 7.x-1.x before 7.x-1.14 for Drupal allows remote authenticated users with the "administer custom search" permission to inject arbitrary web script or HTML via the "Label text" field to admin/config/search/custom_search/results.

References (4)

Core 4
Core References
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Apr/41
Patch x_refsource_confirm
https://www.drupal.org/node/2231531
Vendor Advisory x_refsource_misc
https://www.drupal.org/node/2231665
Patch x_refsource_confirm
https://www.drupal.org/node/2231533

Scores

EPSS 0.0020
EPSS Percentile 41.9%

Details

CWE
CWE-79
Status published
Products (26)
drupal/custom_search_module 6.x-1.0
drupal/custom_search_module 6.x-1.1
drupal/custom_search_module 6.x-1.2
drupal/custom_search_module 6.x-1.3
drupal/custom_search_module 6.x-1.4
drupal/custom_search_module 6.x-1.5
drupal/custom_search_module 6.x-1.6
drupal/custom_search_module 6.x-1.7
drupal/custom_search_module 6.x-1.8
drupal/custom_search_module 6.x-1.9
... and 16 more
Published Oct 06, 2014
Tracked Since Feb 18, 2026