Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2019-June-19
Vulnerability:
Cross Site Scripting
Description:
This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.
The module doesn't sufficiently sanitise user input in certain circumstances.
This vulnerability does not require any permissions but can be mitigated by un-checking the 'Allow HTML tags in breadcrumb text' setting (enabled by default). In some cases browsers' built-in XSS protection may prevent exploitation.
Edited 2019-Jun-20: updated risk calculation to reflect an oversight in the original advisory. The issue has been exploited.
Solution:
Install the latest version:
- If you use the Easy Breadcrumb module for Drupal 7.x, upgrade to Easy Breadcrumb 7.x-2.17
Also see the Easy Breadcrumb project page.
Reported By:
Fixed By:
- Balazs Janos Tatar Provisional Member of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Greg Boggs
Coordinated By:
- Drew Webber of the Drupal Security Team
