View online: https://www.drupal.org/sa-contrib-2018-049 Project: NewsFlash [1] Date: 2018-July-11 Security risk: *Moderately critical* 14∕25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross Site Scripting Description:  This theme features 7 color styles, 12 collapsible regions, suckerfish menus, fluid or fixed widths, and lots more. The theme doesn't sufficiently sanitize user input. This vulnerability is mitigated by the fact that the theme is only exploitable with non-default settings and under certain site configurations. Solution:  Install the latest version: * If you use the NewsFlash theme for Drupal 7.x, upgrade to NewsFlash 7.x-2.6 [3] Also see the NewsFlash [4] project page. Reported By:  * Drew Webber [5] Fixed By:  * Kisugi Ai [6] Coordinated By:  * Michael Hess [7] of the Drupal Security Team [1] https://www.drupal.org/project/newsflash [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/newsflash/releases/7.x-2.6 [4] https://www.drupal.org/project/newsflash [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/1284976 [7] https://www.drupal.org/u/mlhess