Lucene search

Drupal Security TeamDRUPAL-SA-CONTRIB-2014-044

HistoryApr 23, 2014 - 12:00 a.m.

SA-CONTRIB-2014-044 - Professional Theme - Cross Site Scripting (XSS)

2014-04-2300:00:00

Drupal Security Team

www.drupal.org

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

EPSS

0.967

Percentile

99.7%

JSON

Professional Theme is a modern and professional Drupal theme.

The theme does not sufficiently sanitize theme settings input for custom copyright information

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer themes”.

CVE identifier(s) issued

CVE-2014-8076

Versions affected

Professional Theme for 7.x prior to 7.x-2.04

Drupal core is not affected. If you do not use the contributed Professional Theme module, there is nothing you need to do.

Solution

Install the latest version:

If you use the Professional Theme for Drupal 7.x, upgrade to 7.x-2.04

Also see the Professional Theme project page.

Reported by

Dennis Walgaard

Fixed by

Matt Heinke the theme maintainer
Dennis Walgaard

Coordinated by

Matt Kleve of the Drupal Security Team

References

drupal.org/contact

drupal.org/node/2248095

drupal.org/project/professional_theme

drupal.org/security-team

drupal.org/security-team/risk-levels

drupal.org/security/secure-configuration

drupal.org/user/150473

drupal.org/user/36463

drupal.org/user/615306

drupal.org/writing-secure-code

twitter.com/drupalsecurity

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

EPSS

0.967

Percentile

99.7%

JSON

Related for DRUPAL-SA-CONTRIB-2014-044