View online: https://www.drupal.org/node/2905691 * Advisory ID: DRUPAL-SA-CONTRIB-2017-070 * Project: Commerce Invoices [1] (third-party module) * Version: 7.x * Date: 2017-August-30 * Security risk: 20/25 ( Highly Critical) AC:None/A:None/CI:All/II:Some/E:Theoretical/TD:All [2] * Vulnerability: Cross Site Scripting, SQL Injection -------- DESCRIPTION --------------------------------------------------------- Commerce Invoices allows you to enter an Invoice number, Company name and Amount and it will generate an Invoice that the client can pay on your site using any payment method supported by Drupal commerce. -------- SQL INJECTION ------------------------------------------------------- The module did not properly use Drupal's database API when querying the database with user supplied values, allowing an attacker to send a specially crafted request to modify the query or potentially perform additional queries. The vulnerability is mitigated by the fact that the attacker must have the 'access checkout' permission - this permission is commonly granted. -------- STORED CROSS SITE SCRIPTING (XSS) ----------------------------------- The module did not filter user-supplied text prior to printing that text back to users of the site. The vulnerability is mitigated by the fact that the attacker must have the 'access checkout' permission - this permission is commonly granted. -------- CVE IDENTIFIER(S) ISSUED -------------------------------------------- * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ -------- VERSIONS AFFECTED --------------------------------------------------- * All Commerce invoice versions prior to 7.x-1.1 Drupal core is not affected. If you do not use the contributed Commerce Invoices [4] module, there is nothing you need to do. -------- SOLUTION ------------------------------------------------------------ Install the latest version: * If you use the Commerce invoice module for Drupal 7.x, upgrade to Commerce invoice 7.x-1.1 [5] Special note: the module's strings have changed. Any site that uses Drupal's localization system should review and update the translated strings on the site. Also see the Commerce Invoices [6] project page. -------- REPORTED BY --------------------------------------------------------- * Jean-Francois Hovinne [7] -------- FIXED BY ------------------------------------------------------------ * Samuel Solís [8] the module maintainer * Jean-Francois Hovinne [9] of the Drupal Security Team * Greg Knaddison [10] of the Drupal Security Team -------- COORDINATED BY ------------------------------------------------------ * Greg Knaddison [11] of the Drupal Security Team -------- CONTACT AND MORE INFORMATION ---------------------------------------- The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity [16] [1] https://www.drupal.org/project/commerce_invoices [2] https://www.drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] https://www.drupal.org/project/commerce_invoices [5] https://www.drupal.org/project/commerce_invoices/releases/7.x-1.1 [6] https://www.drupal.org/project/commerce_invoices [7] https://www.drupal.org/user/139209 [8] https://www.drupal.org/user/1232954 [9] https://www.drupal.org/user/139209 [10] https://www.drupal.org/user/36762 [11] https://www.drupal.org/user/36762 [12] https://www.drupal.org/contact [13] https://www.drupal.org/security-team [14] https://www.drupal.org/writing-secure-code [15] https://www.drupal.org/security/secure-configuration [16] https://twitter.com/drupalsecurity