[Security-news] Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007
security-news at drupal.org
security-news at drupal.org
Wed Jan 23 19:15:28 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-007
Project: Panels Breadcrumbs [1]
Version: 7.x-2.3
Date: 2019-January-23
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting
Description:
Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels
configuration.
This module doesn't properly sanitize custom breadcrumb configuration in all
cases, leading to an XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have
permission to edit breadcrumb configuration, or the value of a token used in
breadcrumb configuration.
Solution:
If using version 7.x-2.3 or earlier, upgrade to version 7.x-2.4 or later. [3]
Reported By:
* abramm [4]
Fixed By:
* abramm [5]
* David Snopek [6] of the Drupal Security Team
Coordinated By:
* David Snopek [7] of the Drupal Security Team
* Pere Orga [8] of the Drupal Security Team
* Mike Potter [9] of the Drupal Security Team
[1] https://www.drupal.org/project/panels_breadcrumbs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/panels_breadcrumbs/releases/7.x-2.4
[4] https://www.drupal.org/user/146363
[5] https://www.drupal.org/user/146363
[6] https://www.drupal.org/u/dsnopek
[7] https://www.drupal.org/u/dsnopek
[8] https://security.drupal.org/user/34908
[9] https://www.drupal.org/u/mpotter
More information about the Security-news
mailing list