Drupal Aberdeen Theme Cross Site Scripting Vulnerability

Bugtraq ID:	53581
Class:	Input Validation Error
CVE:	CVE-2012-2709 CVE-2012-2907
Remote:	Yes
Local:	No
Published:	May 16 2012 12:00AM
Updated:	Mar 19 2015 07:35AM
Credit:	Jakub Suchy of the Drupal Security Team and Premek Sumpela.
Vulnerable:	Drupal Aberdeen 6.x-1.10
Not Vulnerable:	Drupal Aberdeen 6.x-1.11

Drupal Aberdeen Theme Cross Site Scripting Vulnerability

The Aberdeen theme for Drupal is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Aberdeen 6.x-1.x versions prior to 6.x-1.11 are vulnerable.

Drupal Aberdeen Theme Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting victim to follow a malicious URI.

Drupal Aberdeen Theme Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references for more details.

Drupal Aberdeen Theme Cross Site Scripting Vulnerability

References:

• Aberdeen Theme Homepage (Drupal)
  
• Drupal Homepage (Drupal)
  
• SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting (Drupal)