CVE-2013-0181 - OpenCVE

Cross-site scripting (XSS) vulnerability in Views in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Thomas Seidl	Search Api
Drupal	Drupal

Configuration 1 [-]

AND

OR	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:::::::*
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta1::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta10::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta2::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta3::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta4::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta5::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta6::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta7::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta8::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta9::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:rc1::::::
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.1:::::::*
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.2:::::::*
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.3:::::::*
	cpe:2.3:a:thomas_seidl:search_api:7.x-1.x:dev::::::

cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*

References

Link	Resource
http://drupalcode.org/project/search_api.git/commitdiff/35b5728
http://osvdb.org/89117
http://secunia.com/advisories/51806
http://www.openwall.com/lists/oss-security/2013/01/15/3
http://www.securityfocus.com/bid/57231
https://drupal.org/node/1884076	Patch
https://drupal.org/node/1884332	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/81153

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2013-03-27T21:00:00

Updated: 2017-08-28T12:57:01

Reserved: 2012-12-06T00:00:00

Link: CVE-2013-0181

JSON object: View

NVD Information

Status : Modified

Published: 2013-03-27T21:55:01.477

Modified: 2017-08-29T01:32:59.917

Link: CVE-2013-0181

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-01-09T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in Views in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "89117", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/89117"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://drupalcode.org/project/search_api.git/commitdiff/35b5728"}, {"name": "51806", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/51806"}, {"name": "[oss-security] 20130114 Re: CVE request for Drupal contributed modules", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/01/15/3"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://drupal.org/node/1884076"}, {"name": "57231", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/57231"}, {"name": "drupal-searchapi-unspecified-xss(81153)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81153"}, {"tags": ["x_refsource_MISC"], "url": "https://drupal.org/node/1884332"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-0181", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in Views in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "89117", "refsource": "OSVDB", "url": "http://osvdb.org/89117"}, {"name": "http://drupalcode.org/project/search_api.git/commitdiff/35b5728", "refsource": "CONFIRM", "url": "http://drupalcode.org/project/search_api.git/commitdiff/35b5728"}, {"name": "51806", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/51806"}, {"name": "[oss-security] 20130114 Re: CVE request for Drupal contributed modules", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/01/15/3"}, {"name": "https://drupal.org/node/1884076", "refsource": "CONFIRM", "url": "https://drupal.org/node/1884076"}, {"name": "57231", "refsource": "BID", "url": "http://www.securityfocus.com/bid/57231"}, {"name": "drupal-searchapi-unspecified-xss(81153)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81153"}, {"name": "https://drupal.org/node/1884332", "refsource": "MISC", "url": "https://drupal.org/node/1884332"}]}}}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-0181", "datePublished": "2013-03-27T21:00:00", "dateReserved": "2012-12-06T00:00:00", "dateUpdated": "2017-08-28T12:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:*:*:*:*:*:*:*", "matchCriteriaId": "5C2AB57F-CE66-4592-BE8D-54F8CA2541EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "14B38EFB-3FF4-4913-AC01-989D607B939E", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "8D295DF2-D19B-461D-88C8-73D47E30A372", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "62A480F5-6F09-4B13-A0E9-2354D6278623", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "424D71B8-8967-47E4-876F-9C8EFB911FEE", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "6E6046E7-E785-44D6-8A68-08B3668CEEA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "7822CF23-9363-414B-9170-162F86A11596", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "EA11D4BC-6282-4711-9C84-ED9A535E9E24", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "6E9A810B-75B0-4D59-B02D-0EC5CD864547", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta8:*:*:*:*:*:*", "matchCriteriaId": "E974B710-A35D-414D-BE38-C6A93159F2C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:beta9:*:*:*:*:*:*", "matchCriteriaId": "E6B3A0F6-83D1-4FEB-90B7-70175820321F", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F876DCAA-43BF-436D-AC11-0AEB02ED2FA3", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.1:*:*:*:*:*:*:*", "matchCriteriaId": "3863F7DF-D7FF-4189-BD50-1309241EA4AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.2:*:*:*:*:*:*:*", "matchCriteriaId": "E42D1BCF-6994-434A-94DF-9AEDB1ED4B8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.3:*:*:*:*:*:*:*", "matchCriteriaId": "9B334570-6DA2-49F4-B0A4-4D88E9A9B935", "vulnerable": true}, {"criteria": "cpe:2.3:a:thomas_seidl:search_api:7.x-1.x:dev:*:*:*:*:*:*", "matchCriteriaId": "7C495A87-A4CE-456E-BF41-3C3077609A6E", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B1170D-AD33-4C7A-892D-63AC71B032CF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in Views in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message."}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en Views en el API Search (search_api) m\u00f3dulo v7.x-1.x antes de v7.x-1.4 para Drupal, cuando se utilizan backends o ciertas facetas, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de la entrada no especificada,lo que se devuelve un mensaje de error."}], "id": "CVE-2013-0181", "lastModified": "2017-08-29T01:32:59.917", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2013-03-27T21:55:01.477", "references": [{"source": "secalert@redhat.com", "url": "http://drupalcode.org/project/search_api.git/commitdiff/35b5728"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/89117"}, {"source": "secalert@redhat.com", "url": "http://secunia.com/advisories/51806"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2013/01/15/3"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/57231"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://drupal.org/node/1884076"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://drupal.org/node/1884332"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81153"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}