Drupal Premium Responsive Theme Slide Gallery HTML Injection Vulnerability

Bugtraq ID:	58217
Class:	Input Validation Error
CVE:	CVE-2013-1785
Remote:	Yes
Local:	No
Published:	Feb 27 2013 12:00AM
Updated:	Feb 27 2013 12:00AM
Credit:	Greg Knaddison of the Drupal Security Team
Vulnerable:	Drupal Premium Responsive Theme 7.x-1.5
Not Vulnerable:	Drupal Premium Responsive Theme 7.x-1.6

Drupal Premium Responsive Theme Slide Gallery HTML Injection Vulnerability

The Premium Responsive Theme for Drupal is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied text.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

Versions prior to Premium Responsive Theme 7.x-1.6 are vulnerable.

Drupal Premium Responsive Theme Slide Gallery HTML Injection Vulnerability

Attackers can use a browser to exploit this issue.

Drupal Premium Responsive Theme Slide Gallery HTML Injection Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Drupal Premium Responsive Theme Slide Gallery HTML Injection Vulnerability

References:

• Drupal Language Switcher Dropdown Homepage (Drupal)
  
• Drupal Premium Responsive Theme HomePage (Drupal)
  
• SA-CONTRIB-2013-031 - Premium Responsive theme - Cross Site Scripting (XSS) (Drupal)