View online: https://www.drupal.org/node/2336263
* Advisory ID: DRUPAL-SA-CONTRIB-2014-086 * Project: Custom Breadcrumbs [1] (third-party module) * Version: 6.x, 7.x * Date: 2014-September-10 * Security risk: 16/25 ( Critical) AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting
-------- DESCRIPTION ---------------------------------------------------------
Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates.
User input is not properly sanitized in all use cases, opening a Cross Site Scripting (XSS) vulnerability.
The vulnerability is only present when the custom breadcrumb is configured with the special identifier so that some of the breadcrumb items are not links. Typical example is that the last breadcrumb element is showing the current page title but is not a link. The XSS vulnerability is not triggered if all items of the breadcrumb are links and special identifier is not used.
-------- CVE IDENTIFIER(S) ISSUED --------------------------------------------
* /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./
-------- VERSIONS AFFECTED ---------------------------------------------------
* Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6 * Custom Breadcrumbs 6.x-2.x versions are NOT affected * Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1
Drupal core is not affected. If you do not use the contributed Custom Breadcrumbs [4] module, there is nothing you need to do.
-------- SOLUTION ------------------------------------------------------------
Install the latest version:
* If you use the Custom Breadcrumbs module version 1.x for Drupal 6.x, upgrade to Custom Breadcrumbs 6.x-1.6 [5]. * If you use the Custom Breadcrumbs module version 2.x for Drupal 7.x, upgrade to Custom Breadcrumbs 7.x-2.0-beta1 [6].
Also see the Custom Breadcrumbs [7] project page.
-------- REPORTED BY ---------------------------------------------------------
* Markus Sipilä [8]
-------- FIXED BY ------------------------------------------------------------
* Markus Sipilä [9] * Colan Schwartz [10] the module maintainer
-------- COORDINATED BY ------------------------------------------------------
* Greg Knaddison [11] of the Drupal Security Team
-------- CONTACT AND MORE INFORMATION ----------------------------------------
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12].
Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15].
[1] https://www.drupal.org/project/custom_breadcrumbs [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/custom_breadcrumbs [5] https://www.drupal.org/node/2335705 [6] https://www.drupal.org/node/2335721 [7] https://www.drupal.org/project/custom_breadcrumbs [8] https://www.drupal.org/user/109674 [9] https://www.drupal.org/user/109674 [10] https://www.drupal.org/user/58704 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration