[Security-news] Ubercart - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2019-032
security-news at drupal.org
security-news at drupal.org
Wed Mar 6 19:01:57 UTC 2019
View online: https://www.drupal.org/sa-contrib-2019-032
Project: Ubercart [1]
Date: 2019-March-06
Security risk: *Moderately critical* 12∕25
AC:None/A:Admin/CI:None/II:Some/E:Proof/TD:Default [2]
Vulnerability: Cross Site Request Forgery
Description:
The Ubercart module provides a shopping cart and e-commerce features for
Drupal.
The taxes module doesn't sufficiently protect the tax rate cloning feature. A
malicious user could trick a store administrator into duplicating an existing
tax rate by getting them to visit a specially-crafted URL.
Solution:
Install the latest version:
* If you use the Ubercart module for Drupal 7.x, upgrade to Ubercart
7.x-3.12 [3]
Reported By:
* Ayesh Karunaratne [4]
Fixed By:
* Dave Long [5]
* Ayesh Karunaratne [6]
* Tim Rohaly [7]
Coordinated By:
* Michael Hess [8] of the Drupal Security Team
[1] https://www.drupal.org/project/ubercart
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/ubercart/releases/7.x-3.12
[4] https://www.drupal.org/user/796148
[5] https://www.drupal.org/user/246492
[6] https://www.drupal.org/user/796148
[7] https://www.drupal.org/user/202830
[8] https://www.drupal.org/u/mlhess
More information about the Security-news
mailing list