View online: https://www.drupal.org/sa-contrib-2022-024 Project: Custom Breadcrumbs [1] Date: 2022-February-09 Security risk: *Less critical* 8∕25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2] Vulnerability: Cross Site Scripting Description:  The Custom Breadcrumbs module provides a variety of options for customizing the breadcrumb trail. The module doesn't sufficiently filter on output, leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer custom breadcrumbs" permission. Solution:  Install the latest version: * If you use the Custom Breadcrumbs module for Drupal 8.x or 9.x, upgrade to Custom Breadcrumbs 1.0.1 [3] Reported By:  * Krzysztof Domański [4] Fixed By:  * Paulo Henrique Cota Starling [5] * Krzysztof Domański [6] Coordinated By:  * Chris McCafferty [7] of the Drupal Security Team [1] https://www.drupal.org/project/custom_breadcrumbs [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/custom_breadcrumbs/releases/1.0.1 [4] https://www.drupal.org/user/3572982 [5] https://www.drupal.org/user/3640109 [6] https://www.drupal.org/user/3572982 [7] https://www.drupal.org/user/1850070