[IT-SecNots] [Security-news] litejazz - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-050

[security-news AT drupal.org]

View online: https://www.drupal.org/sa-contrib-2018-050

Project: litejazz [1]
Date: 2018-July-11
Security risk: *Moderately critical* 14∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting

Description: 
This theme features 3 color styles, 12 fully collapsible regions, suckerfish
menus, fluid or fixed widths, easy configuration, and more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is only
exploitable with non-default settings and under certain site configurations.

Solution: 
Install the latest version:

  * If you use the litejazz theme for Drupal 7.x, upgrade to litejazz 7.x-2.3
    [3]

Also see the litejazz [4] project page.

Reported By: 
  * Drew Webber  [5]

Fixed By: 
  * Kisugi Ai [6]

Coordinated By: 
  * Michael Hess [7] of the Drupal Security Team


[1] https://www.drupal.org/project/litejazz
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/litejazz/releases/7.x-2.3
[4] https://www.drupal.org/project/litejazz
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/1284976
[7] https://www.drupal.org/u/mlhess

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news