[IT-SecNots] [Security-news] Beale Street - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-048

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-048

Project: Beale Street [1]
Date: 2018-July-11
Security risk: *Moderately critical* 13∕25
AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Description: 
This theme features 4 built-in color styles, 18 collapsible regions,
Suckerfish menus, flexible widths, adjustable sidebars, configurable font
family, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is not exploitable
under common site configurations.

Solution: 
  * If you use the Beale Street theme for Drupal 7.x, upgrade to Beale Street
    7.x-1.2 [3]

Also see the Beale Street [4] project page.

Reported By: 
  * Drew Webber  [5]

Fixed By: 
  * Kisugi Ai [6]

Coordinated By: 
  * Michael Hess [7] of the Drupal Security Team


[1] https://www.drupal.org/project/bealestreet
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/bealestreet/releases/7.x-1.2
[4] https://www.drupal.org/project/bealestreet
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/1284976
[7] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news