4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
9.1 High
AI Score
Confidence
High
0.967 High
EPSS
Percentile
99.7%
Navigate is a customizable navigation tool for Drupal.
In certain situations the module does not adequately check content permissions, allowing a malicious user with “navigate view” permission to modify custom widgets and create new widget database records.
The module also doesn’t sufficiently filter text, creating an XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permissions “navigate view”, “navigate_custom use” and either “navigate customize” or “navigate administer”.
All versions of Navigate module.
Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.
If you use the Navigate module you should uninstall it.
Also see the Navigate project page.
Not applicable.