Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024
  • Date: Wed, 9 Feb 2022 18:52:09 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2022-024

Project: Custom Breadcrumbs [1]
Date: 2022-February-09
Security risk: *Less critical* 8∕25
AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting

Description: 
The Custom Breadcrumbs module provides a variety of options for customizing
the breadcrumb trail.

The module doesn't sufficiently filter on output, leading to a Cross Site
Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role
with the permission "Administer custom breadcrumbs" permission.

Solution: 
Install the latest version:

* If you use the Custom Breadcrumbs module for Drupal 8.x or 9.x, upgrade to
Custom Breadcrumbs 1.0.1 [3]

Reported By: 
* Krzysztof Domański [4]

Fixed By: 
* Paulo Henrique Cota Starling [5]
* Krzysztof Domański [6]

Coordinated By: 
* Chris McCafferty [7] of the Drupal Security Team


[1] https://www.drupal.org/project/custom_breadcrumbs
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/custom_breadcrumbs/releases/1.0.1
[4] https://www.drupal.org/user/3572982
[5] https://www.drupal.org/user/3640109
[6] https://www.drupal.org/user/3572982
[7] https://www.drupal.org/user/1850070

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Custom Breadcrumbs - Less critical - Cross Site Scripting - SA-CONTRIB-2022-024, security-news, 09.02.2022

Archiv bereitgestellt durch MHonArc 2.6.24.

Seitenanfang