Less Critical XSS Vulnerability in Custom Breadcrumbs Module

Staff Reporter

Drupal Security Team announced a Cross-Site Scripting (XSS) vulnerability SA-CONTRIB-2022-024 that has low criticality index in the Custom Breadcrumbs Module on February 9^th, 2022. The criticality index is low based on the status

8∕25 AC:Basic/A:User/CI:None/II:None/E:Theoretical/TD:All

The Custom Breadcrumbs module allows for a variety of options for customizing breadcrumbs including

ability to add custom breadcrumb for all content entity or paths like page manager, views etc
store settings using config entity so everything is exportable
setup homepage link
setup current page last crumb
multilanguage support
token support
extra cache contexts
extra vars like nolink and hierarchical breadcrumbs from taxonomy term tree
added ability to attach breadcrumb to every entity display mode, for example on the teaser with search results
trim breadcrumb length

27,459 sites report using this module.

The Cross-Site Scripting vulnerability is caused because the module does not adequately filter the output. This vulnerability is mitigated because an attacker must have a role with the permission "Administer custom breadcrumbs" permission.

Solution:

The Drupal Security Team recommends installing the latest version. So if you use the Custom Breadcrumbs module for Drupal 8.x or 9.x, upgrade to Custom Breadcrumbs 1.0.1

Source:

https://www.drupal.org/sa-contrib-2022-024
https://www.drupal.org/project/custom_breadcrumbs

Click here to follow us on LinkedIn

Comment

Note: The vision of this web portal is to help promote news and stories around the Drupal community and promote and celebrate the people and organizations in the community. We strive to create and distribute our content based on these content policy. If you see any omission/variation on this please let us know in the comments below and we will try to address the issue as best we can.

XSS