Tapestry - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-051 - Security-news

11 Jul 2018


      View online: https://www.drupal.org/sa-contrib-2018-051
Project: Tapestry [1]
Date: 2018-July-11
Security risk: *Moderately critical* 14∕25
AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2]
Vulnerability: Cross Site Scripting
Description: 
This theme provides Drupal users with many advanced features including 20
Different Color Styles, 30 User Regions, Custom Block Theme Templates,
Suckerfish Menus, Icon Support, Advanced Page Layout Options, Simple
Configuration, Custom Typography...
The theme doesn't sufficiently sanitize user input.
This vulnerability is mitigated by the fact that the theme is only
exploitable with non-default settings and under certain site configurations.
Solution: 
Install the latest version:
* If you use the Tapestry theme for Drupal 7.x, upgrade to Tapestry 7.x-2.2
     [3]
Also see the Tapestry [4] project page.
Reported By: 
   * Drew Webber  [5]
Fixed By: 
   * Kisugi Ai [6]
Coordinated By: 
   * Michael Hess [7] of the Drupal Security Team
[1] https://www.drupal.org/project/tapestry
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tapestry/releases/7.x-2.2
[4] https://www.drupal.org/project/tapestry
[5] https://www.drupal.org/user/255969
[6] https://www.drupal.org/user/1284976
[7] https://www.drupal.org/u/mlhess