CVE-2010-1984
Description
Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb module 5.x before 5.x-1.5 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via the taxonomy term name in a Breadcrumb display.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) in Taxonomy Breadcrumb module for Drupal 5.x and 6.x allows users with taxonomy administration permissions to inject arbitrary web script via term names.
Vulnerability
The vulnerability exists in the Taxonomy Breadcrumb module for Drupal, versions 5.x before 5.x-1.5 and 6.x before 6.x-1.1. The module does not properly sanitize taxonomy term names (and node titles in 6.x) when displaying them in breadcrumbs, allowing a stored cross-site scripting (XSS) attack. To exploit, an attacker must have the 'administer taxonomy' permission, as the malicious payload is inserted into the term name via the taxonomy administration interface [2].
Exploitation
An attacker with the 'administer taxonomy' permission creates or edits a taxonomy term with a crafted term name containing malicious JavaScript. When any user (including administrators) visits a page that displays breadcrumbs using that term, the script executes in the browser. This can occur on node pages or taxonomy/term pages. No additional user interaction beyond normal browsing is required [2].
Impact
Successful exploitation allows arbitrary web script or HTML to execute in the victim's browser session. This can lead to compromise of administrative accounts, theft of session cookies, defacement, or other attacks against site visitors. The Drupal Security Team rated this as a critical risk [2].
Mitigation
The official fix was released on 2010-03-31. Users of the 5.x branch should upgrade to 5.x-1.5 [1], and users of the 6.x branch should upgrade to 6.x-1.1 [3]. No workarounds are provided; upgrading the module is the only solution.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:5.x-1.0:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:5.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:5.x-1.0:dev:*:*:*:*:*:*
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:5.x-1.1:*:*:*:*:*:*:*
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:5.x-1.2:*:*:*:*:*:*:*
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:5.x-1.3:*:*:*:*:*:*:*
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:6.x-0.1:beta:*:*:*:*:*:*
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:6.x-1.0:*:*:*:*:*:*:*
- cpe:2.3:a:michael_nichols:taxonomy_breadcrumb:6.x-1.x:dev:*:*:*:*:*:*
- (no CPE)range: <5.x-1.5, <6.x-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- drupal.org/node/757974nvdPatch
- drupal.org/node/757980nvdPatch
- drupal.org/node/758456nvdPatchVendor Advisory
- secunia.com/advisories/39138nvdVendor Advisory
- osvdb.org/63424nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/57446nvd
News mentions
0No linked articles in our index yet.