SA-CONTRIB-2012-172 - Zero Point - Cross Site Scripting (XSS)

By Drupal Security Team on 28 Nov 2012 at 22:08 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2012-172
Project: Zero Point (third-party module)
Version: 6.x, 7.x
Date: 2012-November-28
Security risk: Critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting

Description

Zero Point is an advanced theme which includes many options, ideal for a wide range of sites.

The theme does not escape path aliases exposing a Cross site scripting (XSS) vulnerability in URLs. There are no mitigating factors.

CVE: CVE-2012-5591

Versions affected

zeropoint 6.x-1.x versions prior to 6.x-1.18
zeropoint 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed Zero Point module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Zero Point theme for Drupal 6.x, upgrade to zeropoint 6.x-1.18
If you use the Zero Point theme for Drupal 7.x, upgrade to zeropoint 7.x-1.4

Also see the Zero Point project page.

Reported by

samatha

Fixed by

Florian Radut the module maintainer
Christian López Espínola

Coordinated by

Klaus Purer of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.