MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

Project:

MoneySuite

Date:

2017-November-29

Security risk:

Moderately critical 14∕25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default

Vulnerability:

Access bypass

Description:

MoneySuite provides a set of modules for Drupal sites that rely on the sale of memberships and/or content for revenue.

The modules have an access bypass vulnerability which allows untrusted users (including anonymous users) to view payments made by users within the system. No data can be modified, nor are any credit card numbers displayed.

Solution:

Install the latest version:

If you use the MoneySuite module for Drupal 7.x, upgrade to MoneySuite 7.x-10.4

Reported By:

Anthony Lindsay

Fixed By:

Anthony Lindsay
Clive Murden the module maintainer
Farreres the module maintainer

Coordinated By:

David Rothstein of the Drupal Security Team

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter @drupalsecurity or Mastodon drupalsecurity@drupal.community.

Contributing organizations for this advisory

Annertech

MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

Contact and more information

Contributing organizations for this advisory

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community