[Security-news] Easy Breadcrumb - Critical - Cross Site Scripting - SA-CONTRIB-2019-053
security-news at drupal.org
security-news at drupal.org
Wed Jun 19 17:25:33 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-053
Project: Easy Breadcrumb [1]
Version: 7.x-2.x-dev
Date: 2019-June-19
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting
Description:
This module enables you to use the current URL (path alias) and the current
page's title to automatically extract the breadcrumb's segments and its
respective links then show them as breadcrumbs on your website.
The module doesn't sufficiently sanitise user input in certain circumstances.
This vulnerability does not require any permissions but can be mitigated by
un-checking the 'Allow HTML tags in breadcrumb text' setting (enabled by
default). In some cases browsers' built-in XSS protection may prevent
exploitation.
Solution:
Install the latest version:
* If you use the Easy Breadcrumb module for Drupal 7.x, upgrade to Easy
Breadcrumb 7.x-2.17 [3]
Also see the Easy Breadcrumb [4] project page.
Reported By:
* Jill Garland [5]
* P K [6]
Fixed By:
* Balazs Janos Tatar [7] Provisional Member of the Drupal Security Team
* Drew Webber [8] of the Drupal Security Team
Coordinated By:
* Drew Webber [9] of the Drupal Security Team
[1] https://www.drupal.org/project/easy_breadcrumb
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/easy_breadcrumb/releases/7.x-2.17
[4] https://www.drupal.org/project/easy_breadcrumb
[5] https://www.drupal.org/user/3617346
[6] https://www.drupal.org/user/2407432
[7] https://www.drupal.org/user/649590
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/255969
More information about the Security-news
mailing list