Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027
  • Date: Wed, 27 Feb 2019 18:10:50 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2019-027

Project: Path Breadcrumbs [1]
Version: 7.x-3.x-dev
Date: 2019-February-27
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Description: 
This module enables you to configure breadcrumbs for any Drupal page.

This module doesn't properly sanitize custom breadcrumb configuration in all
cases, leading to an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer Path Breadcrumbs".

Solution: 
Install the latest version:

* Upgrade to Path Breadcrumbs 7.x-3.4 [3]

Also see the Path Breadcrumbs [4] project page.

Reported By: 
* poiu [5]

Fixed By: 
* Kate Marshalkina [6]

Coordinated By: 
* Greg Knaddison [7] of the Drupal Security Team


[1] https://www.drupal.org/project/path_breadcrumbs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/path_breadcrumbs/releases/7.x-3.4
[4] https://www.drupal.org/project/path_breadcrumbs
[5] https://www.drupal.org/user/194009
[6] https://www.drupal.org/user/1399638
[7] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Path Breadcrumbs - Moderately critical - Cross site scripting - SA-CONTRIB-2019-027, security-news, 27.02.2019

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang