4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
64.9%
CVE: CVE-2012-2083
Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components.
The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.
This vulnerability affects all sub-themes of Fusion.
Drupal core is not affected. If you do not use the contributed Fusion module, there is nothing you need to do.
If you utilize Fusion or a Fusion-based theme, you should upgrade to Fusion 6.x-1.13.
YOURTHEME_preprocess_page()
look for this code:$vars['body_id'] = 'pid-' . strtolower(preg_replace('/[_+\/]/', '-', drupal_get_path_alias($_GET['q'])));
If this code exists within your sub-theme, there are two possible solutions:
1. **Recommended:** Delete the line of code. It is unnecessary in your sub-theme since the sub-theme will inherit this functionality from Fusion Core
2. Replace the code with the following:
$vars['body_id'] = 'pid-' . strtolower(fusion_core_clean_css_identifier(drupal_get_path_alias($_GET['q'])));
fusion_core_clean_css_identifier() is a function added in this security release of Fusion. Making this change to your sub-themeβs code without updating Fusion core will result in a WSOD.
Also see the Fusion project page.
drupal.org/contact
drupal.org/node/1506600
drupal.org/project/fusion
drupal.org/security-team
drupal.org/security-team/risk-levels
drupal.org/security/secure-configuration
drupal.org/user/1117072
drupal.org/user/124982
drupal.org/user/162308
drupal.org/user/186334
drupal.org/user/259737
drupal.org/user/31977
drupal.org/user/36762
drupal.org/user/380305
drupal.org/user/46549
drupal.org/user/52142
drupal.org/user/680072
drupal.org/writing-secure-code