Posted by timb on November 20, 2019 at 9:24pm
I have recently upgraded a site into Drupal 8 and choose the Nexus theme as my starting point. The security team recently released a security advisory on this theme (https://www.drupal.org/sa-contrib-2019-078) of critical and unsupported. It is recommended to uninstall. The theme does not offer an uninstall option. Is any Drupal 8 install (~13k) that used the Nexus theme now permanently insecure?
I am having a hard time figuring out what the unresolved security issue is with the Nexus theme. I have read through the issue queues, but assume it is not listed there to prevent exploits.
Can the security issue be mitigated by role, permissions, or settings? Is the install unsecured, if the theme is installed but not default?