Show advisories for only Drupal Core, only contributed projects, or only PSAs

SA-CONTRIB-2009-115 - Autocomplete Widgets for CCK Text and Number - Information Disclosure

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-115
  • Project: Autocomplete Widgets for CCK Text and Number (third-party module)
  • Version: 6.x
  • Date: 2009-December-30
  • Security risk: Less Critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Categories: Drupal 6.x

SA-CONTRIB-2009-114 - Automated Logout - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-114
  • Project: Automated Logout (third-party module)
  • Version: 6.x
  • Date: 2009-December-23
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 6.x

SA-CONTRIB-2009-113 - FAQ - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-113
  • Project: FAQ (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-December-23
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 5.x, Drupal 6.x

SA-CORE-2009-009 - Drupal Core - Cross site scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CORE-2009-009
  • Project: Drupal core
  • Version: 5.x, 6.x
  • Date: 2009-December-16
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Cross site scripting
Categories: Drupal 5.x, Drupal 6.x

SA-CONTRIB-2009-112 - Sections - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-112
  • Project: Sections (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-December-16
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 5.x, Drupal 6.x

SA-CONTRIB-2009-111 - Randomizer - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-111
  • Project: Randomizer (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-December-09
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 5.x, Drupal 6.x

SA-CONTRIB-2009-110 - Taxonomy Timer - SQL Injection

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-110
  • Project: Taxonomy Timer (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-November-25
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection
Categories: Drupal 5.x, Drupal 6.x

SA-CONTRIB-2009-109 - Printfriendly - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-109
  • Project: Printfriendly (third-party module)
  • Version: 6.x
  • Date: 2009-November-18
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 6.x

SA-CONTRIB-2009-108 - Gallery Assist - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-108
  • Project: Gallery Assist (third-party module)
  • Version: 6.x
  • Date: 2009-November-18
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 6.x

SA-CONTRIB-2009-107 - Ubercart - Access bypass, Cross site request forgery

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-107
  • Project: Ubercart (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-November-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Cross-site request forgery

Description

Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently. Furthermore, if the checkout completion message has been modified to include order details, information disclosure can happen.

The Ubercart order management was also affected by a minor cross-site request forgery vulnerability.

Versions affected

Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.

Solution

Upgrade to the latest version:

Categories: Drupal 5.x, Drupal 6.x

Pages

Subscribe with RSS Subscribe to Security advisories