Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025

Project: Admin Toolbar
Date: 2021-August-25
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site Scripting, Access Bypass

Description

The Admin Toolbar (admin_toolbar) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.

The Admin Toolbar Search sub-module of this module

• doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability. An attacker that can create or edit certain entities, entity bundles or entity types may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target users with access to the Admin Toolbar Search search box, including site admins with privileged access.
• doesn't properly check access in certain cases, which may result in an information disclosure vulnerability of entity type and bundle labels.

The vulnerability is mitigated by the facts, that:

• the Admin Toolbar Search sub-module must be enabled.
• an attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.
• a targeted account must have permission to use the search box provided by the Admin Toolbar Search sub-module.

Solution

Install the latest version:

If you use admin_toolbar 3.0.0 or later, upgrade to Admin Toolbar 3.0.2.
If you use admin_toolbar 8.x-2.0 or later, upgrade to Admin Toolbar 8.x-2.5.

Also see the Admin Toolbar project page.