Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027
  • Date: Wed, 22 Jul 2020 19:13:25 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2020-027

Project: Easy Breadcrumb [1]
Version: 8.x-1.x-dev
Date: 2020-July-22
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross site scripting

Description: 
This module enables you to use the current URL (path alias) and the current
page's title to automatically extract the breadcrumb's segments and its
respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitize editor input in certain
circumstances leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability requires the user have 'administer Easy Breadcrumb
settings permission'.

Solution: 
Install the latest version:

* If you use the Easy Breadcrumb module for Drupal 8, upgrade to Easy
Breadcrumb 8.x-1.13 [3]

Also see the Easy Breadcrumb [4] project page.

Reported By: 
* Greg Boggs [5]

Fixed By: 
* Greg Boggs [6]
* Samuel Mortenson [7] of the Drupal Security Team

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/easy_breadcrumb
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/easy_breadcrumb/releases/8.x-1.13
[4] https://www.drupal.org/project/easy_breadcrumb
[5] https://www.drupal.org/user/153069
[6] https://www.drupal.org/user/153069
[7] https://www.drupal.org/user/2582268
[8] https://www.drupal.org/user/36762

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Easy Breadcrumb - Moderately critical - Cross site scripting - SA-CONTRIB-2020-027, security-news, 22.07.2020

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang