[IT-SecNots] [Security-news] Easy Breadcrumb - Critical - Cross Site Scripting - SA-CONTRIB-2019-053

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2019-053

Project: Easy Breadcrumb [1]
Version: 7.x-2.x-dev
Date: 2019-June-19
Security risk: *Critical* 15∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross Site Scripting

Description: 
This module enables you to use the current URL (path alias) and the current
page's title to automatically extract the breadcrumb's segments and its
respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitise user input in certain circumstances.

This vulnerability does not require any permissions but can be mitigated by
un-checking the 'Allow HTML tags in breadcrumb text' setting (enabled by
default). In some cases browsers' built-in XSS protection may prevent
exploitation.

Solution: 
Install the latest version:

  * If you use the Easy Breadcrumb module for Drupal 7.x, upgrade to Easy
    Breadcrumb 7.x-2.17 [3]

Also see the Easy Breadcrumb [4] project page.

Reported By: 
  * Jill Garland [5]
  * P K [6]

Fixed By: 
  * Balazs Janos Tatar [7] Provisional Member of the Drupal Security Team
  * Drew Webber [8] of the Drupal Security Team

Coordinated By: 
  * Drew Webber [9] of the Drupal Security Team


[1] https://www.drupal.org/project/easy_breadcrumb
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/easy_breadcrumb/releases/7.x-2.17
[4] https://www.drupal.org/project/easy_breadcrumb
[5] https://www.drupal.org/user/3617346
[6] https://www.drupal.org/user/2407432
[7] https://www.drupal.org/user/649590
[8] https://www.drupal.org/user/255969
[9] https://www.drupal.org/user/255969

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news