Drupal Security TeamDRUPAL-SA-CONTRIB-2015-037SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
99.7%
This module enables you to configure breadcrumbs for any Drupal page.
The module doesnβt check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user.
This vulnerability is mitigated by the fact that it is possible to configure proper access control in Path Breadcrumbs items with βSelection Rulesβ from the UI.
CVE identifier(s) issued
- CVE-2015-3391
Versions affected
- Path Breadcrumbs 7.x-3.x versions prior to 7.x-3.2
Drupal core is not affected. If you do not use the contributed Path Breadcrumbs module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Path Breadcrumbs module for Drupal 7.x, upgrade to Path Breadcrumbs 7.x-3.2
Also see the Path Breadcrumbs project page.
Reported by
Fixed by
- Kate Marshalkina and Evgeniy Maslovskiy, the module maintainers
Coordinated by
- Greg Knaddison of the Drupal Security Team
References
twitter.com/drupalsecurity
www.drupal.org/contact
www.drupal.org/project/path_breadcrumbs
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/u/greggles
www.drupal.org/u/kalabro
www.drupal.org/user/59351
www.drupal.org/user/810676
www.drupal.org/writing-secure-code
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
99.7%