Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2014-037

HistoryApr 09, 2014 - 12:00 a.m.

SA-CONTRIB-2014-037 - BlueMasters - Cross Site Scripting

2014-04-0900:00:00

Drupal Security Team

www.drupal.org

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

44.7%

JSON

Bluemasters is a responsive layout theme for Drupal 7.

The Bluemasters theme does not properly sanitize theme settings before they are used in the output of a page.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer themes”.

CVE identifier(s) issued

CVE-2014-7978

Versions affected

Bluemasters 7.x-2.x versions prior to 7.x-2.1.

Drupal core is not affected. If you do not use the contributed BlueMasters theme, there is nothing you need to do.

Solution

Install the latest version:

If you use the Bluemasters theme 7.x-2.0 for Drupal 7.x, upgrade to Bluemasters 7.x-2.1.

Also see the BlueMasters project page.

Reported by

Dennis Walgaard

Fixed by

George Tsopouridis the theme maintainer

Coordinated by

Klaus Purer of the Drupal Security Team

References

drupal.org/contact

drupal.org/project/bluemasters

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/829430

drupal.org/writing-secure-code

drupal.org/node/2236251

drupal.org/user/262198

drupal.org/user/883702

twitter.com/drupalsecurity

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

44.7%

JSON

Related for DRUPAL-SA-CONTRIB-2014-037