View online: https://www.drupal.org/sa-contrib-2022-024

Project: Custom Breadcrumbs [1] Date: 2022-February-09 Security risk: *Less critical* 8∕25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting

Description:  The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail.

The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer custom breadcrumbs" permission.

Solution:  Install the latest version:

* If you use the Custom Breadcrumbs module for Drupal 8.x or 9.x, upgrade to Custom Breadcrumbs 1.0.1 [3]

Reported By:  * Krzysztof Domański [4]

Fixed By:  * Paulo Henrique Cota Starling [5] * Krzysztof Domański [6]

Coordinated By:  * Chris McCafferty [7] of the Drupal Security Team

[1] https://www.drupal.org/project/custom_breadcrumbs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/custom_breadcrumbs/releases/1.0.1 [4] https://www.drupal.org/user/3572982 [5] https://www.drupal.org/user/3640109 [6] https://www.drupal.org/user/3572982 [7] https://www.drupal.org/user/1850070