3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.967 High
EPSS
Percentile
99.7%
Newsflash is a theme that features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, built-in IE transparent PNG fix, and lots more.
The theme does not sanitize the user provided theme setting for the font family CSS property, thereby exposing a cross-site scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer themes”.
Drupal core is not affected. If you do not use the contributed NewsFlash theme, there is nothing you need to do.
Install the latest version:
Also see the NewsFlash project page.