This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.
The module doesn't sufficiently sanitise user input in certain circumstances.
This vulnerability does not require any permissions but can be mitigated by un-checking the 'Allow HTML tags in breadcrumb text' setting (enabled by default). In some cases browsers' built-in XSS protection may prevent exploitation.
Edited 2019-Jun-20: updated risk calculation to reflect an oversight in the original advisory. The issue has been exploited.
Install the latest version:
- If you use the Easy Breadcrumb module for Drupal 7.x, upgrade to Easy Breadcrumb 7.x-2.17
Also see the Easy Breadcrumb project page.
- Balazs Janos Tatar Provisional Member of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Greg Boggs
- Drew Webber of the Drupal Security Team