Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
drupalDrupal Security TeamDRUPAL-SA-CONTRIB-2014-059
HistoryJun 11, 2014 - 12:00 a.m.

SA-CONTRIB-2014-059 - Touch Theme - Cross Site Scripting (XSS)

2014-06-1100:00:00
Drupal Security Team
www.drupal.org
6

2.1 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.7%

JSON

Touch Theme is a light weight theme with modern look and feel.

The theme does not sufficiently sanitize theme settings input for Twitter and Facebook username.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission “Administer themes”.

CVE identifier(s) issued

  • CVE-2014-4303

Versions affected

  • Touch 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Touch module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Touch theme for Drupal 7.x, upgrade to Touch 7.x-1.9

Also see the Touch project page.

Reported by

Fixed by

Coordinated by

Related

cvelist 1
nvd 1
cve 1
prion 1
cvelist
cvelist
CVE-2014-4303
2014-06-18 14:00:00
nvd
nvd
CVE-2014-4303
2014-06-18 14:55:13
cve
cve
CVE-2014-4303
2014-06-18 14:55:13
prion
prion
Cross site scripting
2014-06-18 14:55:00

2.1 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:S/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.7%

JSON
Related for DRUPAL-SA-CONTRIB-2014-059
cvelist1nvd1cve1prion1