View online: https://www.drupal.org/sa-contrib-2019-027
Project: Path Breadcrumbs [1] Version: 7.x-3.x-dev Date: 2019-February-27 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting
Description: This module enables you to configure breadcrumbs for any Drupal page.
This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer Path Breadcrumbs".
Solution: Install the latest version:
* Upgrade to Path Breadcrumbs 7.x-3.4 [3]
Also see the Path Breadcrumbs [4] project page.
Reported By: * poiu [5]
Fixed By: * Kate Marshalkina [6]
Coordinated By: * Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/path_breadcrumbs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/path_breadcrumbs/releases/7.x-3.4 [4] https://www.drupal.org/project/path_breadcrumbs [5] https://www.drupal.org/user/194009 [6] https://www.drupal.org/user/1399638 [7] https://www.drupal.org/user/36762