View online: https://www.drupal.org/sa-contrib-2020-027
Project: Easy Breadcrumb [1] Version: 8.x-1.x-dev Date: 2020-July-22 Security risk: *Moderately critical* 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting
Description: This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.
The module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability requires the user have 'administer Easy Breadcrumb settings permission'.
Solution: Install the latest version:
* If you use the Easy Breadcrumb module for Drupal 8, upgrade to Easy Breadcrumb 8.x-1.13 [3]
Also see the Easy Breadcrumb [4] project page.
Reported By: * Greg Boggs [5]
Fixed By: * Greg Boggs [6] * Samuel Mortenson [7] of the Drupal Security Team
Coordinated By: * Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/easy_breadcrumb [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/easy_breadcrumb/releases/8.x-1.13 [4] https://www.drupal.org/project/easy_breadcrumb [5] https://www.drupal.org/user/153069 [6] https://www.drupal.org/user/153069 [7] https://www.drupal.org/user/2582268 [8] https://www.drupal.org/user/36762