View online: https://www.drupal.org/sa-contrib-2018-048

Project: Beale Street [1] Date: 2018-July-11 Security risk: *Moderately critical* 13∕25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross Site Scripting

Description:  This theme features 4 built-in color styles, 18 collapsible regions, Suckerfish menus, flexible widths, adjustable sidebars, configurable font family, and lots more.

The theme doesn't sufficiently sanitize user input.

This vulnerability is mitigated by the fact that the theme is not exploitable under common site configurations.

Solution:  * If you use the Beale Street theme for Drupal 7.x, upgrade to Beale Street 7.x-1.2 [3]

Also see the Beale Street [4] project page.

Reported By:  * Drew Webber [5]

Fixed By:  * Kisugi Ai [6]

Coordinated By:  * Michael Hess [7] of the Drupal Security Team

[1] https://www.drupal.org/project/bealestreet [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/bealestreet/releases/7.x-1.2 [4] https://www.drupal.org/project/bealestreet [5] https://www.drupal.org/user/255969 [6] https://www.drupal.org/user/1284976 [7] https://www.drupal.org/u/mlhess