Drupal Association members fund grants that make connections all over the world.
- Advisory ID: DRUPAL-SA-CONTRIB-2013-070
- Project: Zen (third-party module)
- Version: 7.x
- Date: 2013-August-21
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
The Zen theme is a very popular base/starter theme.
Zen doesn't sufficiently escape the breadcrumb separator field, allowing a possible XSS exploit.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".
CVE identifier(s) issued
- Zen 7.x-3.x versions prior to 7.x-3.2.
- Zen 7.x-5.x versions prior to 7.x-5.4.
Drupal core is not affected. If you do not use the contributed Zen module, there is nothing you need to do.
Install the latest version:
Also see the Zen project page.
- John Albin Wilkins, the theme maintainer
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.