• Advisory ID: DRUPAL-SA-CONTRIB-2010-032
  • Project: Taxonomy Breadcrumb (third-party module)
  • Versions: 6.x-1.x, 5.x-1.x
  • Date: 2010-March-31
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting


The Taxonomy Breadcrumb module generates taxonomy based breadcrumbs on node pages and taxonomy/term pages. This module does not properly sanitize taxonomy term name and, for 6.x, node titles when displayed in breadcrumbs, leading to a Cross Site Scripting (XSS) vulnerability. XSS vulnerabilities may lead to compromise of administrative accounts or other attacks against site visitors.

Versions affected

  • Taxonomy Breadcrumb module for Drupal 6.x version prior to 6.x-1.1.
  • Taxonomy Breadcrumb module for Drupal 5.x versions prior to 5.x-1.5.

Drupal core is not affected. If you do not use the contributed Taxonomy Breadcrumb module, there is nothing you need to do.


Install the latest version.

Reported by

Fixed by


The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.