Navigate - Moderately Critical - Multiple Vulnerabilities - Unsupported - SA-CONTRIB-2015-112

Navigate is a customizable navigation tool for Drupal.

Access Bypass

In certain situations the module does not adequately check content permissions, allowing a malicious user with “navigate view” permission to modify custom widgets and create new widget database records.

Cross-site scripting

The module also doesn’t sufficiently filter text, creating an XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions “navigate view”, “navigate_custom use” and either “navigate customize” or “navigate administer”.

CVE identifier(s) issued

• Access Bypass: ** CVE-2015-5499** * Cross-site scripting:CVE-2015-5500

Versions affected

All versions of Navigate module.

Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.

Solution

If you use the Navigate module you should uninstall it.

Also see the Navigate project page.

Reported by

• Kate Kligman

Fixed by

Not applicable.

Coordinated by

• Michael Hess of the Drupal Security Team