[Security-news] Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046
security-news at drupal.org
security-news at drupal.org
Wed Jul 11 17:05:06 UTC 2018
View online: https://www.drupal.org/sa-contrib-2018-046
Project: Commerce Custom Order Status [1]
Date: 2018-July-11
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability: Cross Site Scripting
Description:
Commerce Custom Order Status provides forms for administrators to add, edit,
and delete order statuses from the order settings screen.
The module doesn't sufficiently sanitize the output of the status names.
This vulnerability is mitigated by the fact that an attacker must have a role
with the "configure order settings" permission.
Solution:
Install the latest version:
* If you use the Commerce Custom Order Status module for Drupal 7.x,
upgrade
to Commerce Custom Order Status 7.x-1.1 [3]
Also see the Commerce Custom Order Status [4] project page.
Reported By:
* bucefal91 [5]
Fixed By:
* bucefal91 [6]
* Fabien Leroux [7]
Coordinated By:
* Greg Knaddison [8] of the Drupal Security Team
[1] https://www.drupal.org/project/commerce_custom_order_status
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://www.drupal.org/project/commerce_custom_order_status/releases/7.x-1.1
[4] https://www.drupal.org/project/commerce_custom_order_status
[5] https://www.drupal.org/user/504128
[6] https://www.drupal.org/user/504128
[7] https://www.drupal.org/user/407852
[8] https://www.drupal.org/u/greggles
More information about the Security-news
mailing list