• Advisory ID: DRUPAL-SA-CONTRIB-2009-099
  • Project: RootCandy (third-party theme)
  • Version: 6.x
  • Date: 2009-November-11
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting

Description

RootCandy is a theme specifically designed for use in the administration section. The theme fails to sanitize a URL value, leading to a Cross Site Scripting (XSS) vulnerability.

Versions affected

Drupal core is not affected. If you do not use the contributed RootCandy theme, there is nothing you need to do.

Solution

Upgrade to the latest version:

Reported by

  • Reported by Jim McIntyre

Fixed by

Contact

The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.