SA-CONTRIB-2013-070 - Zen - Cross Site Scripting

By Drupal Security Team on 21 Aug 2013 at 19:17 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2013-070
Project: Zen (third-party module)
Version: 7.x
Date: 2013-August-21
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting

Description

The Zen theme is a very popular base/starter theme.

Zen doesn't sufficiently escape the breadcrumb separator field, allowing a possible XSS exploit.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued

CVE-2013-4275

Versions affected

Zen 7.x-3.x versions prior to 7.x-3.2.
Zen 7.x-5.x versions prior to 7.x-5.4.

Drupal core is not affected. If you do not use the contributed Zen module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Zen theme for Drupal 7.x, upgrade to Zen 7.x-3.2 or Zen 7.x-5.4.

Also see the Zen project page.

Reported by

Daniel Nitsche

Fixed by

John Albin Wilkins, the theme maintainer

Coordinated by

Greg Knaddison of the Drupal Security Team
Klaus Purer of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.