CVE-2010-1976
Description
Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb module 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via the node title in a Breadcrumb display.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Taxonomy Breadcrumb module for Drupal 6.x and 5.x fails to sanitize node titles, allowing XSS by users with administer taxonomy permissions.
Vulnerability
The Taxonomy Breadcrumb module versions 6.x before 6.x-1.1 and 5.x before 5.x-1.5 for Drupal contain a stored cross-site scripting (XSS) vulnerability. The module does not properly sanitize the node title when generating breadcrumbs on node pages [1][2]. For the 6.x branch, the vulnerable field is the node title, which is displayed in breadcrumbs without escaping [2]. The vulnerability is exploitable by remote authenticated users who possess the "administer taxonomy" permission [description].
Exploitation
An attacker must be a remote authenticated user with the permission to administer taxonomy [description]. The attacker creates or modifies a node with a crafted title containing arbitrary web script or HTML. When the node is viewed and the Taxonomy Breadcrumb module renders the breadcrumb, the injected script executes in the context of the victim's browser [2][3].
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML into pages viewed by other site users [description][2]. This can lead to compromise of administrative accounts, theft of sensitive information, or other attacks against site visitors [2].
Mitigation
Users of the 6.x-1.x branch should upgrade to version 6.x-1.1, and users of the 5.x-1.x branch should upgrade to version 5.x-1.5, both released on 31 March 2010 [2][3]. No other mitigation is necessary for sites that do not use the Taxonomy Breadcrumb module [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:6.x-0.1:beta:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:6.x-0.1:beta:*:*:*:*:*:*
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:6.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:6.x-1.x:dev:*:*:*:*:*:*
- (no CPE)range: <6.x-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- drupal.org/node/758456nvdPatch
- drupal.org/node/757974nvdVendor Advisory
- secunia.com/advisories/39138nvdVendor Advisory
- drupal.org/node/757980nvd
- osvdb.org/63424nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/57446nvd
News mentions
0No linked articles in our index yet.