Vulnerability from drupal
Published
2020-07-22 17:58
Modified
2023-08-11 17:49
Summary
Details

This module enables you to use the current URL (path alias) and the current page's title to automatically extract the breadcrumb's segments and its respective links then show them as breadcrumbs on your website.

The module doesn't sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.

This vulnerability requires the user have 'administer Easy Breadcrumb settings permission'.

Credits
Greg Boggs www.drupal.org/user/153069
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.13.0"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/easy_breadcrumb"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.13.0"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/user/153069"
      ],
      "name": "Greg Boggs"
    }
  ],
  "details": "This module enables you to use the current URL (path alias) and the current page\u0027s title to automatically extract the breadcrumb\u0027s segments and its respective links then show them as breadcrumbs on your website.\n\nThe module doesn\u0027t sufficiently sanitize editor input in certain circumstances leading to a Cross Site Scripting (XSS) vulnerability.\n\nThis vulnerability requires the user have \u0027administer Easy Breadcrumb settings permission\u0027.",
  "id": "DRUPAL-CONTRIB-2020-027",
  "modified": "2023-08-11T17:49:02.000Z",
  "published": "2020-07-22T17:58:17.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2020-027"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.