=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN360
_____________________________________________________________________

DATE                : 22/08/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Zen for DRUPAL versions 7.x-3.x
                      prior to 7.x-3.2, 7.x-5.x prior to 7.x-5.4.

======================================================================
https://drupal.org/node/2071157
______________________________________________________________________

SA-CONTRIB-2013-070 - Zen - Cross Site Scripting
Posted by Drupal Security Team on August 21, 2013 at 7:17pm

    Advisory ID: DRUPAL-SA-CONTRIB-2013-070
    Project: Zen (third-party module)
    Version: 7.x
    Date: 2013-August-21
    Security risk: Moderately critical
    Exploitable from: Remote
    Vulnerability: Cross Site Scripting


Description

The Zen theme is a very popular base/starter theme.

Zen doesn't sufficiently escape the breadcrumb separator field,
allowing a possible XSS exploit.

This vulnerability is mitigated by the fact that an attacker must have
a role with the permission "administer themes".

CVE identifier(s) issued

    A CVE identifier will be requested, and added upon issuance, in
accordance with Drupal Security Team processes.


Versions affected

    Zen 7.x-3.x versions prior to 7.x-3.2.
    Zen 7.x-5.x versions prior to 7.x-5.4.

Drupal core is not affected. If you do not use the contributed Zen
module, there is nothing you need to do.


Solution

Install the latest version:

    If you use the Zen theme for Drupal 7.x, upgrade to Zen 7.x-3.2 or
Zen 7.x-5.4.

Also see the Zen project page.


Reported by

    Daniel Nitsche


Fixed by

    John Albin Wilkins, the theme maintainer


Coordinated by

    Greg Knaddison of the Drupal Security Team
    Klaus Purer of the Drupal Security Team


Contact and More Information

The Drupal security team can be reached at security at drupal.org or
via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing
secure code for Drupal, and securing your site.


Categories: Drupal 7.x

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================