Drupal Security TeamDRUPAL-SA-CONTRIB-2013-070SA-CONTRIB-2013-070 - Zen - Cross Site Scripting
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
56.0%
The Zen theme is a very popular base/starter theme.
Zen doesn’t sufficiently escape the breadcrumb separator field, allowing a possible XSS exploit.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer themes”.
CVE identifier(s) issued
- CVE-2013-4275
Versions affected
- Zen 7.x-3.x versions prior to 7.x-3.2.
- Zen 7.x-5.x versions prior to 7.x-5.4.
Drupal core is not affected. If you do not use the contributed Zen module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Zen theme for Drupal 7.x, upgrade to Zen 7.x-3.2 or Zen 7.x-5.4.
Also see the Zen project page.
Reported by
Fixed by
- John Albin Wilkins, the theme maintainer
Coordinated by
- Greg Knaddison of the Drupal Security Team
- Klaus Purer of the Drupal Security Team
Related
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.002 Low
EPSS
Percentile
56.0%