Less Critical XSS Vulnerability in Custom Breadcrumbs Module
Drupal Security Team announced a Cross-Site Scripting (XSS) vulnerability SA-CONTRIB-2022-024 that has low criticality index in the Custom Breadcrumbs Module on February 9th, 2022. The criticality index is low based on the status
8∕25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All
The Custom Breadcrumbs module allows for a variety of options for customizing breadcrumbs including
- ability to add custom breadcrumb for all content entity or paths like page manager, views etc
- store settings using config entity so everything is exportable
- setup homepage link
- setup current page last crumb
- multilanguage support
- token support
- extra cache contexts
- extra vars like nolink and hierarchical breadcrumbs from taxonomy term tree
- added ability to attach breadcrumb to every entity display mode, for example on the teaser with search results
- trim breadcrumb length
27,459 sites report using this module.
The Cross-Site Scripting vulnerability is caused because the module does not adequately filter the output. This vulnerability is mitigated because an attacker must have a role with the permission "Administer custom breadcrumbs" permission.
Solution:
The Drupal Security Team recommends installing the latest version. So if you use the Custom Breadcrumbs module for Drupal 8.x or 9.x, upgrade to Custom Breadcrumbs 1.0.1
Source:
https://www.drupal.org/sa-contrib-2022-024
https://www.drupal.org/project/custom_breadcrumbs
ASK: Drupal Community Needs Your Support
View all →
Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please reach out to us at #thedroptimes channel on Drupal Slack and we will try to address the issue as best we can.
You may also like
