Advisory ID: 
SA-CONTRIB-2017-008
Vulnerability: 
Cross Site Scripting
Versions affected: 
  • Search404 Versions prior to 1.x-1.1.2

The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found.

The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search".

Solution: 

If you use the Search404 module for Backdrop CMS 1.x, upgrade to search 404 1.1.2.

Reported By: 
Fixed By: 
Coordinated By: