Updated: Comment #0
Problem/Motivation
Part of SA-CORE-2013-003
A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS.
This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under certain conditions.
Original patch written by David Rothstein.
Proposed resolution
Forward port patch
Remaining tasks
Review
User interface changes
None
API changes
?
Related Issues
None