Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By meba on
- Advisory ID: DRUPAL-SA-CONTRIB-2009-099
- Project: RootCandy (third-party theme)
- Version: 6.x
- Date: 2009-November-11
- Security risk: Moderately Critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
RootCandy is a theme specifically designed for use in the administration section. The theme fails to sanitize a URL value, leading to a Cross Site Scripting (XSS) vulnerability.
Versions affected
- RootCandy theme for Drupal 6.x prior to RootCandy 6.x-1.5
Drupal core is not affected. If you do not use the contributed RootCandy theme, there is nothing you need to do.
Solution
Upgrade to the latest version:
- If you use the RootCandy theme for Drupal 6.x upgrade to RootCandy 6.x-1.5
Reported by
- Reported by Jim McIntyre
Fixed by
- Fixed by Marek Sotak, the theme maintainer
Contact
The security team for Drupal can be reached at security at drupal.org or via the form at http://drupal.org/contact.