SA-CONTRIB-2014-047 - Zen - Cross Site Scripting

The Zen theme is a powerful, yet simple, HTML5 starting theme with a responsive, mobile-first grid design.

The theme does not properly sanitize theme settings before they are used in the output of a page. Themes that have copied code from Zen’s template.php may suffer from this same issue. If your theme creates variables in a preprocess using text from a custom theme setting, like this:

$variables['skip_link_text'] = theme_get_setting('skip_link_text');

you can prevent malicious XSS attacks by modifying the code to look like this:

$variables['skip_link_text'] = check_plain(theme_get_setting('skip_link_text'));

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer theme”.

CVE identifier(s) issued

• CVE-2014-7980

Versions affected

• Zen 7.x-5.x versions prior to 7.x-5.5.
• Zen 7.x-3.x versions prior to 7.x-3.3.

Drupal core is not affected. If you do not use the contributed Zen theme, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Zen theme for Drupal 7.x, upgrade to Zen 7.x-3.3 or Zen 7.x-5.5

Also see the Zen project page.

Reported by

• Dennis Walgaard

Fixed by

• Dennis Walgaard
• John Albin Wilkins the theme maintainer

Coordinated by

• Greg Knaddison of the Drupal Security Team