Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2015-012
- Project: Navigate (third-party module)
- Version: 6.x, 7.x
- Date: 2015-May-20
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default
- Vulnerability: Cross Site Scripting, Access bypass
Description
Navigate is a customizable navigation tool for Drupal.
Access Bypass
In certain situations the module does not adequately check content permissions, allowing a malicious user with "navigate view" permission to modify custom widgets and create new widget database records.
Cross-site scripting
The module also doesn't sufficiently filter text, creating an XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "navigate view", "navigate_custom use" and either "navigate customize" or "navigate administer".
CVE identifier(s) issued
- Access Bypass: CVE-2015-5499
- Cross-site scripting: CVE-2015-5500
Versions affected
All versions of Navigate module.
Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.
Solution
If you use the Navigate module you should uninstall it.
Also see the Navigate project page.
Reported by
Fixed by
Not applicable.
Coordinated by
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
