Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025
Project: Admin Toolbar Date: 2021-August-25 Security risk: Moderately critical 13∕25 Vulnerability: Cross Site Scripting, Access Bypass
The Admin Toolbar (admin_toolbar) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.
The Admin Toolbar Search sub-module of this module
- doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability. An attacker that can create or edit certain entities, entity bundles or entity types may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target users with access to the Admin Toolbar Search search box, including site admins with privileged access.
- doesn't properly check access in certain cases, which may result in an information disclosure vulnerability of entity type and bundle labels.
The vulnerability is mitigated by the facts, that:
- the Admin Toolbar Search sub-module must be enabled.
- an attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.
- a targeted account must have permission to use the search box provided by the Admin Toolbar Search sub-module.
Install the latest version:
Also see the Admin Toolbar project page.