====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN027
_____________________________________________________________________

DATE                : 16/01/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Radix for Drupal versions prior to
                                    7.x-3.8.

=====================================================================
https://www.drupal.org/sa-contrib-2020-001
_____________________________________________________________________

Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001


Project: Radix
Date: 2020-January-15
Security risk: Moderately critical 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross site scripting


Description:

Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and
BrowserSync built-in.

The module doesn't sufficiently filter menu titles when used in a
dropdown in the main menu.

This vulnerability is mitigated by the fact that an attacker must have
permission to edit a menu title used in the main menu.

Solution:

Install the latest version:

    If you use the Radix theme for Drupal 7.x, upgrade to Radix 7.x-3.8

Also see the Radix project page.


Reported By:

    annagaz

Fixed By:

    David Snopek of the Drupal Security Team

Coordinated By:

    David Snopek of the Drupal Security Team



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================