View online: https://www.drupal.org/sa-contrib-2019-032
Project: Ubercart [1] Date: 2019-March-06 Security risk: *Moderately critical* 12∕25 AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:Default [2] Vulnerability: Cross Site Request Forgery
Description: The Ubercart module provides a shopping cart and e-commerce features for Drupal.
The taxes module doesn't sufficiently protect the tax rate cloning feature. A malicious user could trick a store administrator into duplicating an existing tax rate by getting them to visit a specially-crafted URL.
Solution: Install the latest version:
* If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart 7.x-3.12 [3]
Reported By: * Ayesh Karunaratne [4]
Fixed By: * Dave Long [5] * Ayesh Karunaratne [6] * Tim Rohaly [7]
Coordinated By: * Michael Hess [8] of the Drupal Security Team
[1] https://www.drupal.org/project/ubercart [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ubercart/releases/7.x-3.12 [4] https://www.drupal.org/user/796148 [5] https://www.drupal.org/user/246492 [6] https://www.drupal.org/user/796148 [7] https://www.drupal.org/user/202830 [8] https://www.drupal.org/u/mlhess