Vulnerability-Lookup

Vulnerability from drupal

Published

2024-10-09 15:54

Modified

2025-02-20 19:26

Summary

Details

This module enables you to to easily create and manage faceted search interfaces.

The module doesn't sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.

The vulnerability exists in the Facets Summary submodule. If you do not use that sub module your site is not vulnerable to this issue.

Edited October 9, 2024: clarified that Facets Summary is where the vulnerability is located

Credits

Andrea Racco www.drupal.org/user/2950843

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c2.0.9"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/facets"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c2.0.9"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2024-13283"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/2950843"
      ],
      "name": "Andrea Racco"
    }
  ],
  "details": "This module enables you to to easily create and manage faceted search interfaces.\n\nThe module doesn\u0027t sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.\n\nThe vulnerability exists in the Facets Summary submodule. If you do not use that sub module your site is not vulnerable to this issue.\n\n*Edited October 9, 2024: clarified that Facets Summary is where the vulnerability is located*",
  "id": "DRUPAL-CONTRIB-2024-047",
  "modified": "2025-02-20T19:26:17.000Z",
  "published": "2024-10-09T15:54:27.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2024-047"
    }
  ],
  "schema_version": "1.7.0"
}

CVE-2024-13283 (GCVE-0-2024-13283)

Vulnerability from cvelistv5 – Published: 2025-01-09 19:36 – Updated: 2025-01-09 21:12

Title

Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047

Summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.9.

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

drupal

References

URL

Tags

https://www.drupal.org/sa-contrib-2024-047

Impacted products

	Vendor	Product	Version
	Drupal	Facets	Affected: 0.0.0 , < 2.0.9 (semver)

Credits

Andrea Racco Andrea Racco Markus Kalkbrenner Joris Vercammen Jimmy Henderickx Greg Knaddison Juraj Nemec

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-13283",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T20:53:42.799976Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T21:12:31.197Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.drupal.org/project/facets",
          "defaultStatus": "unaffected",
          "product": "Facets",
          "repo": "https://git.drupalcode.org/project/facets",
          "vendor": "Drupal",
          "versions": [
            {
              "lessThan": "2.0.9",
              "status": "affected",
              "version": "0.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Andrea Racco"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Andrea Racco"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Markus Kalkbrenner"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Joris Vercammen"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Jimmy Henderickx"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Greg Knaddison"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Juraj Nemec"
        }
      ],
      "datePublic": "2024-10-09T15:54:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects Facets: from 0.0.0 before 2.0.9.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Drupal Facets allows Cross-Site Scripting (XSS).This issue affects Facets: from 0.0.0 before 2.0.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-63",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-63 Cross-Site Scripting (XSS)"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T19:36:22.779Z",
        "orgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
        "shortName": "drupal"
      },
      "references": [
        {
          "url": "https://www.drupal.org/sa-contrib-2024-047"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387",
    "assignerShortName": "drupal",
    "cveId": "CVE-2024-13283",
    "datePublished": "2025-01-09T19:36:22.779Z",
    "dateReserved": "2025-01-09T18:28:19.071Z",
    "dateUpdated": "2025-01-09T21:12:31.197Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from drupal

CVE-2024-13283 (GCVE-0-2024-13283)

Tags

Sightings

Nomenclature