[Security-news] Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027
security-news at drupal.org
security-news at drupal.org
Wed Feb 27 18:10:50 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-027
Project: Path Breadcrumbs [1]
Version: 7.x-3.x-dev
Date: 2019-February-27
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Description:
This module enables you to configure breadcrumbs for any Drupal page.
This module doesn't properly sanitize custom breadcrumb configuration in all
cases, leading to an XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer Path Breadcrumbs".
Solution:
Install the latest version:
* Upgrade to Path Breadcrumbs 7.x-3.4 [3]
Also see the Path Breadcrumbs [4] project page.
Reported By:
* poiu [5]
Fixed By:
* Kate Marshalkina [6]
Coordinated By:
* Greg Knaddison [7] of the Drupal Security Team
[1] https://www.drupal.org/project/path_breadcrumbs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/path_breadcrumbs/releases/7.x-3.4
[4] https://www.drupal.org/project/path_breadcrumbs
[5] https://www.drupal.org/user/194009
[6] https://www.drupal.org/user/1399638
[7] https://www.drupal.org/user/36762
More information about the Security-news
mailing list