Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007
  • Date: Wed, 23 Jan 2019 19:15:28 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-007

Project: Panels Breadcrumbs [1]
Version: 7.x-2.3
Date: 2019-January-23
Security risk: *Moderately critical* 14∕25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Description: 
Panels Breadcrumbs allows you to set your breadcrumbs directly from Panels
configuration.

This module doesn't properly sanitize custom breadcrumb configuration in all
cases, leading to an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have
permission to edit breadcrumb configuration, or the value of a token used in
breadcrumb configuration.

Solution: 
If using version 7.x-2.3 or earlier, upgrade to version 7.x-2.4 or later. [3]

Reported By: 
* abramm [4]

Fixed By: 
* abramm [5]
* David Snopek [6] of the Drupal Security Team

Coordinated By: 
* David Snopek [7] of the Drupal Security Team
* Pere Orga [8] of the Drupal Security Team
* Mike Potter [9] of the Drupal Security Team


[1] https://www.drupal.org/project/panels_breadcrumbs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/panels_breadcrumbs/releases/7.x-2.4
[4] https://www.drupal.org/user/146363
[5] https://www.drupal.org/user/146363
[6] https://www.drupal.org/u/dsnopek
[7] https://www.drupal.org/u/dsnopek
[8] https://security.drupal.org/user/34908
[9] https://www.drupal.org/u/mpotter

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Panels Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-007, security-news, 23.01.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang