Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Drupal Security Team on
- Advisory ID: DRUPAL-SA-CONTRIB-2014-025
- Project: Open Omega (third-party theme)
- Version: 7.x
- Date: 2014-February-26
- Security risk: Less critical
- Exploitable from: Remote
- Vulnerability: Access bypass
Description
This theme is a sub theme of omega used as as a sample theme for the open Public Distribution.
The theme doesn't sufficiently check the users menu access when building the header and footer menus, so that it can expose the title and path of restricted items in the menu.
This vulnerability is mitigated by the fact that that it is only present when this menu has items with restricted access that differ by role.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- openomega 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Open Omega module, there is nothing you need to do.
Solution
Install the latest version:
- If you use this theme for Drupal 7.x, upgrade to Open Omega 7.x-1.1
Also see the Open Omega project page.
Reported by
Fixed by
- Erik Summerfield, the theme maintainer
Coordinated by
- Hunter Fox of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
