<div dir="ltr"><br><div class="gmail_quote">View online: <a href="https://www.drupal.org/sa-contrib-2020-001" rel="noreferrer" target="_blank">https://www.drupal.org/sa-contrib-2020-001</a><br>
<br>
Project: Radix [1]<br>
Date: 2020-January-15<br>
Security risk: *Moderately critical* 13∕25<br>
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]<br>
Vulnerability: Cross site scripting<br>
<br>
Description: <br>
Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync<br>
built-in.<br>
<br>
The module doesn't sufficiently filter menu titles when used in a dropdown in<br>
the main menu.<br>
<br>
This vulnerability is mitigated by the fact that an attacker must have<br>
permission to edit a menu title used in the main menu.<br>
<br>
<br>
Solution: <br>
Install the latest version:<br>
<br>
   * If you use the Radix theme for Drupal 7.x, upgrade to Radix 7.x-3.8 [3]<br>
<br>
Also see the Radix [4] project page.<br>
<br>
Reported By: <br>
   * annagaz [5]<br>
<br>
Fixed By: <br>
   * David Snopek  [6] of the Drupal Security Team<br>
<br>
Coordinated By: <br>
   * David Snopek  [7] of the Drupal Security Team<br>
<br>
<br>
[1] <a href="https://www.drupal.org/project/radix" rel="noreferrer" target="_blank">https://www.drupal.org/project/radix</a><br>
[2] <a href="https://www.drupal.org/security-team/risk-levels" rel="noreferrer" target="_blank">https://www.drupal.org/security-team/risk-levels</a><br>
[3] <a href="https://www.drupal.org/project/radix/releases/7.x-3.8" rel="noreferrer" target="_blank">https://www.drupal.org/project/radix/releases/7.x-3.8</a><br>
[4] <a href="https://www.drupal.org/project/radix" rel="noreferrer" target="_blank">https://www.drupal.org/project/radix</a><br>
[5] <a href="https://www.drupal.org/user/2741499" rel="noreferrer" target="_blank">https://www.drupal.org/user/2741499</a><br>
[6] <a href="https://www.drupal.org/user/266527" rel="noreferrer" target="_blank">https://www.drupal.org/user/266527</a><br>
[7] <a href="https://www.drupal.org/user/266527" rel="noreferrer" target="_blank">https://www.drupal.org/user/266527</a><br>
<br>
_______________________________________________<br>
Security-news mailing list<br>
<a href="mailto:Security-news@drupal.org" target="_blank">Security-news@drupal.org</a><br>
Unsubscribe at <a href="https://lists.drupal.org/mailman/listinfo/security-news" rel="noreferrer" target="_blank">https://lists.drupal.org/mailman/listinfo/security-news</a><br>
</div></div>