Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Project:
Date:
2021-August-25
Vulnerability:
Cross Site Scripting, Access Bypass
Affected versions:
<2.5.0 || 3.0.0 || 3.0.1
Description:
The Admin Toolbar (admin_toolbar) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.
The Admin Toolbar Search sub-module of this module
- doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability. An attacker that can create or edit certain entities, entity bundles or entity types may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target users with access to the Admin Toolbar Search search box, including site admins with privileged access.
- doesn't properly check access in certain cases, which may result in an information disclosure vulnerability of entity type and bundle labels.
The vulnerability is mitigated by the facts, that:
- the Admin Toolbar Search sub-module must be enabled.
- an attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.
- a targeted account must have permission to use the search box provided by the Admin Toolbar Search sub-module.
Solution:
Install the latest version:
- If you use admin_toolbar 3.0.0 or later, upgrade to Admin Toolbar 3.0.2.
- If you use admin_toolbar 8.x-2.0 or later, upgrade to Admin Toolbar 8.x-2.5.
Also see the Admin Toolbar project page.
Reported By:
Fixed By:
Coordinated By:
- Greg Knaddison of the Drupal Security Team
