Drupal Business Theme Slide Gallery HTML Injection Vulnerability

Bugtraq ID:	58216
Class:	Input Validation Error
CVE:	CVE-2013-1783
Remote:	Yes
Local:	No
Published:	Feb 27 2013 12:00AM
Updated:	Feb 27 2013 12:00AM
Credit:	Greg Knaddison of the Drupal Security Team
Vulnerable:	Drupal Business Theme 7.x-1.7
Not Vulnerable:	Drupal Business Theme 7.x-1.8

Drupal Business Theme Slide Gallery HTML Injection Vulnerability

The Business Theme for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied text.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Versions prior to Business Theme 7.x-1.8 are vulnerable.

Drupal Business Theme Slide Gallery HTML Injection Vulnerability

Attackers can use a browser to exploit this issue.

Drupal Business Theme Slide Gallery HTML Injection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Drupal Business Theme Slide Gallery HTML Injection Vulnerability

References:

• Drupal Business Theme HomePage (Drupal)
  
• Drupal Language Switcher Dropdown Homepage (Drupal)
  
• SA-CONTRIB-2013-029 - Business theme - Cross Site Scripting (XSS) (Drupal)