SA-CONTRIB-2009-112 - Sections - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-112
  • Project: Sections (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-December-16
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 5.x, Drupal 6.x

SA-CONTRIB-2009-111 - Randomizer - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-111
  • Project: Randomizer (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-December-09
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 5.x, Drupal 6.x

SA-CONTRIB-2009-110 - Taxonomy Timer - SQL Injection

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-110
  • Project: Taxonomy Timer (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-November-25
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: SQL Injection
Categories: Drupal 5.x, Drupal 6.x

SA-CONTRIB-2009-109 - Printfriendly - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-109
  • Project: Printfriendly (third-party module)
  • Version: 6.x
  • Date: 2009-November-18
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 6.x

SA-CONTRIB-2009-108 - Gallery Assist - Cross Site Scripting

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-108
  • Project: Gallery Assist (third-party module)
  • Version: 6.x
  • Date: 2009-November-18
  • Security risk: Moderately Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Categories: Drupal 6.x

SA-CONTRIB-2009-107 - Ubercart - Access bypass, Cross site request forgery

By Drupal Security Team on
  • Advisory ID: DRUPAL-SA-CONTRIB-2009-107
  • Project: Ubercart (third-party module)
  • Version: 5.x, 6.x
  • Date: 2009-November-18
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass, Cross-site request forgery

Description

Ubercart's PayPal Website Payments Standard integration exposes a path for completed orders without properly checking that the order is valid for the current user. In the event that the order has already been processed for checkout, this can result in duplicate actions taking place inadvertently. Furthermore, if the checkout completion message has been modified to include order details, information disclosure can happen.

The Ubercart order management was also affected by a minor cross-site request forgery vulnerability.

Versions affected

Drupal core is not affected. If you do not use the contributed Ubercart module, there is nothing you need to do.

Solution

Upgrade to the latest version:

Categories: Drupal 5.x, Drupal 6.x

Pages

Subscribe with RSS Subscribe to RSS - Deprecated - Security advisories for contributed projects