Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-032 - Security-news

6 Mar 2019


      View online: https://www.drupal.org/sa-contrib-2019-032
Project: Ubercart [1]
Date: 2019-March-06
Security risk: *Moderately critical* 12∕25
AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Request Forgery
Description: 
The Ubercart module provides a shopping cart and e-commerce features for
Drupal.
The taxes module doesn't sufficiently protect the tax rate cloning feature. A
malicious user could trick a store administrator into duplicating an existing
tax rate by getting them to visit a specially-crafted URL.
Solution: 
Install the latest version:
* If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart
     7.x-3.12 [3]
Reported By: 
   * Ayesh Karunaratne  [4]
Fixed By: 
   * Dave Long  [5]
   * Ayesh Karunaratne  [6]
   * Tim Rohaly  [7]
Coordinated By: 
   * Michael Hess [8] of the Drupal Security Team
[1] https://www.drupal.org/project/ubercart
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ubercart/releases/7.x-3.12
[4] https://www.drupal.org/user/796148
[5] https://www.drupal.org/user/246492
[6] https://www.drupal.org/user/796148
[7] https://www.drupal.org/user/202830
[8] https://www.drupal.org/u/mlhess