Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2013-055

HistoryJul 10, 2013 - 12:00 a.m.

SA-CONTRIB-2013-055 - Hatch - Cross Site Scripting

2013-07-1000:00:00

Drupal Security Team

www.drupal.org

2.1 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

36.6%

JSON

Hatch theme is a simple and minimal portfolio theme for photographers, illustrators, designers, or photobloggers.
The theme didn’t sufficiently escape user supplied text prior to printing them.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer content”, “Create new article”, or “Edit any article type content” .

CVE identifier(s) issued

CVE-2013-4138

Versions affected

Hatch theme 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Hatch module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Hatch theme for Drupal 7.x, upgrade to Hatch 7.x-1.4

Also see the Hatch project page.

Reported by

Daniel Nitsche

Fixed by

Daniel Nitsche

Coordinated by

Lee Rowlands (larowlan) of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/hatch

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/395439

drupal.org/writing-secure-code

drupal.org/node/2038189

drupal.org/user/1151108

2.1 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

36.6%

JSON

Related for DRUPAL-SA-CONTRIB-2013-055