CVE-2015-6754 in Path Breadcrumbs Moduleinfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in the administration interface in the Path Breadcrumbs module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "Administer Path Breadcrumbs" permission to inject arbitrary web script or HTML via unspecified vectors.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/24/2018

The CVE-2015-6754 vulnerability represents a critical cross-site scripting flaw within the Path Breadcrumbs module for Drupal 7.x-3.x versions prior to 3.3. This vulnerability exists within the administrative interface of the module, creating a significant security risk for Drupal installations that utilize this component. The flaw specifically targets authenticated users who possess the "Administer Path Breadcrumbs" permission, making it particularly dangerous in environments where administrative privileges are granted to multiple users or where user accounts might be compromised.

The technical nature of this vulnerability stems from insufficient input validation and output encoding within the Path Breadcrumbs module's administrative forms. Attackers with the appropriate permissions can inject malicious scripts or HTML code through unspecified vectors within the module's interface. This occurs because the module fails to properly sanitize user-supplied input before rendering it in the administrative context, creating an XSS attack surface that allows for arbitrary code execution within the browser context of authenticated users. The vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications.

The operational impact of this vulnerability extends beyond simple data theft or defacement, as it can enable attackers to escalate privileges, steal session cookies, or redirect users to malicious sites. When an authenticated administrator interacts with the affected module, the injected scripts execute within their browser session, potentially allowing attackers to perform actions with the administrator's privileges. This creates a severe risk for organizations where administrative access is limited but still compromised, as the vulnerability can be exploited through social engineering or by compromising a single administrative account. The attack vector is particularly concerning because it leverages legitimate administrative functionality rather than requiring external exploitation methods.

Organizations affected by this vulnerability should immediately implement the recommended patch version 7.x-3.3 of the Path Breadcrumbs module to address the XSS flaw. Security teams should also conduct comprehensive audits of their Drupal installations to identify all instances of the vulnerable module and ensure proper access controls are implemented. Additional mitigations include implementing proper input validation at multiple layers, configuring Content Security Policy headers to limit script execution, and monitoring administrative interfaces for suspicious activity. The vulnerability demonstrates the importance of keeping third-party modules updated and highlights the need for robust security practices in content management systems, particularly those handling administrative interfaces where privilege escalation risks are elevated. This issue also aligns with ATT&CK technique T1059, which covers command and script injection, as the vulnerability allows for arbitrary script execution within the browser context of authenticated users.

Reservation

08/31/2015

Disclosure

08/31/2015

Moderation

accepted

Entry

VDB-77515

CPE

ready

EPSS

0.00744

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!