View online: https://www.drupal.org/sa-contrib-2019-007

Project: Panels Breadcrumbs [1] Version: 7.x-2.3 Date: 2019-January-23 Security risk: *Moderately critical* 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross site scripting

Description:  Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels configuration.

This module doesn't properly sanitize custom breadcrumb configuration in all cases, leading to an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have permission to edit breadcrumb configuration, or the value of a token used in breadcrumb configuration.

Solution:  If using version 7.x-2.3 or earlier, upgrade to version 7.x-2.4 or later. [3]

Reported By:  * abramm [4]

Fixed By:  * abramm [5] * David Snopek [6] of the Drupal Security Team

Coordinated By:  * David Snopek [7] of the Drupal Security Team * Pere Orga [8] of the Drupal Security Team * Mike Potter [9] of the Drupal Security Team

[1] https://www.drupal.org/project/panels_breadcrumbs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/panels_breadcrumbs/releases/7.x-2.4 [4] https://www.drupal.org/user/146363 [5] https://www.drupal.org/user/146363 [6] https://www.drupal.org/u/dsnopek [7] https://www.drupal.org/u/dsnopek [8] https://security.drupal.org/user/34908 [9] https://www.drupal.org/u/mpotter