Crumbs - Moderately Critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-082

This module enables you to add navigation to your webpages colloquially referred to as “breadcrumbs”.

The module doesn’t sufficiently sanitize custom HTML separators for breadcrumbs, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer Crumbs”.

CVE identifier(s) issued

• CVE-2015-4378

Versions affected

• Crumbs 7.x-2.x versions prior to 7.x-2.3

Drupal core is not affected. If you do not use the contributed Crumbs module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Crumbs module for Drupal 7.x, upgrade to Crumbs 7.x-2.3

Also see the Crumbs project page.

Reported by

• Colleen Blaho

Fixed by

• Andreas Hennings the module maintainer

Coordinated by

• Pere Orga of the Drupal Security Team