Admin Toolbar - Moderately critical - Cross Site Scripting, Access Bypass - SA-CONTRIB-2021-025

Project: Admin ToolbarDate: 2021-August-25Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Scripting, Access BypassDescription: The Admin Toolbar (admin_toolbar) module extends the default toolbar provided by Drupal Core with various features facilitating day-to-day editorial and administrative work.
The Admin Toolbar Search sub-module of this module

  • doesn't sanitize user input in certain cases, which leads to a Cross-Site-Scripting (XSS) vulnerability. An attacker that can create or edit certain entities, entity bundles or entity types may be able to exploit one or more Cross-Site-Scripting (XSS) vulnerabilities to target users with access to the Admin Toolbar Search search box, including site admins with privileged access.
  • doesn't properly check access in certain cases, which may result in an information disclosure vulnerability of entity type and bundle labels.

The vulnerability is mitigated by the facts, that:

  • the Admin Toolbar Search sub-module must be enabled.
  • an attacker must have one of several permissions, of which at least some are commonly only assigned to either editors, site builders or administrators.
  • a targeted account must have permission to use the search box provided by the Admin Toolbar Search sub-module.

Solution: Install the latest version:

Also see the Admin Toolbar project page.Reported By: 

Fixed By: 

Coordinated By: 

Path to article https://www.drupal.org/sa-contrib-2021-025