- Advisory ID: DRUPAL-SA-CONTRIB-2014-086
- Project: Custom Breadcrumbs (third-party module)
- Version: 6.x, 7.x
- Date: 2014-September-10
- Security risk: 16/25 ( Critical) AC:None/A:User/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
Custom Breadcrumbs allows administrators to set up parametrized breadcrumb trails for different content types, views, panels, taxonomy vocabularies and terms, paths, and a simple API that allows contributed modules to enable custom breadcrumbs for module pages and theme templates.
User input is not properly sanitized in all use cases, opening a Cross Site Scripting (XSS) vulnerability.
The vulnerability is only present when the custom breadcrumb is configured with the <none> special identifier so that some of the breadcrumb items are not links. Typical example is that the last breadcrumb element is showing the current page title but is not a link. The XSS vulnerability is not triggered if all items of the breadcrumb are links and special identifier <none> is not used.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Custom Breadcrumbs 6.x-1.x versions prior to 6.x-1.6
- Custom Breadcrumbs 6.x-2.x versions are NOT affected
- Custom Breadcrumbs 7.x-2.x versions prior to 7.x-2.0-beta1
Drupal core is not affected. If you do not use the contributed Custom Breadcrumbs module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Custom Breadcrumbs module version 1.x for Drupal 6.x, upgrade to Custom Breadcrumbs 6.x-1.6.
- If you use the Custom Breadcrumbs module version 2.x for Drupal 7.x, upgrade to Custom Breadcrumbs 7.x-2.0-beta1.
Also see the Custom Breadcrumbs project page.
Reported by
Fixed by
- Markus Sipilä
- Colan Schwartz the module maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies,
writing secure code for Drupal, and
securing your site.