Skip directly to content

Feed aggregator

SA-CONTRIB-2015-053 - Entity API - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/25/2015 - 15:17
Description

The Entity API module extends the entity API of Drupal core in order to provide a unified way to deal with entities and their properties.

The module doesn't sufficiently sanitize field labels when exposing them through the Token API thereby exposing a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to administer fields such as "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Entity API 7.x-1.x versions prior to 7.x-1.6.

Drupal core is not affected. If you do not use the contributed Entity API module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Entity API project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 16:17
Description

This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF.

The RESTWS Basic Auth submodule doesn't sufficiently disable page caching for authenticated requests thereby leaking potentially confidential data to unauthorized users.

This vulnerability is mitigated by the fact that the RESTWS Basic Auth submodule must be enabled, page caching must be enabled and permissions for a resource containing sensitive data must be enabled (for example the User resource).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • RESTWS 7.x-1.x versions prior to 7.x-1.5.
  • RESTWS 7.x-2.x versions prior to 7.x-2.3.

Drupal core is not affected. If you do not use the contributed RESTful Web Services module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the RESTful Web Services project page.

Reported by Fixed by
  • Klaus Purer the module maintainer and member of the Drupal Security Team
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-051 - Term Queue - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 16:11
Description

Term Queue module allows you to create lists of taxonomy terms and display them in a block.

The module doesn't sufficiently sanitize user supplied text in some administration pages, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer taxonomy".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Term Queue 6.x-1.0

Drupal core is not affected. If you do not use the contributed Term Queue module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Term Queue project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-050 - Services Basic Authentication - Access bypass - Unsupported

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 16:05
Description

Services Basic Authentication module adds HTTP basic authentication for Services module.

A user could get unauthorized access to resources under some circumstances.

This vulnerability is mitigated by the fact that the authentication works correctly when page caching is disabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Services Basic Authentication module.

Drupal core is not affected. If you do not use the contributed Services Basic Authentication module, there is nothing you need to do.

Solution

If you use the Services Basic Authentication module you should uninstall it

Also see the Services Basic Authentication project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-049 - Navigate - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 15:24
Description

Navigate is a customizable navigation bar for Drupal.

The module doesn't sufficiently sanitize user input when displaying the Navigate bar.

Because the vulnerability is a Reflected Cross Site Scripting, the only mitigating factor is that the victim must be tricked into visiting a specially crafted malicious url.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Navigate 6.x-1.x versions prior to 6.x-1.1.
  • Navigate 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Navigate module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Navigate project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 15:09
Description

Avatar Uploader module provides an alternative way to upload user pictures.

The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to install malicious HTML or executable code to the server.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "upload avatar file", and that the fix for SA-2006-006 - Drupal Core - Execution of arbitrary files in certain Apache configurations should prevent code execution in typical Apache configurations.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Avatar Uploader 6.x-1.x versions prior to 6.x-1.3.

Drupal core is not affected. If you do not use the contributed Avatar Uploader module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Avatar Uploader project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-047 - Panopoly Magic - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/18/2015 - 15:08
Description

This module enables live previews of Panels panes in the modal dialog for adding or editing them.

The module doesn't sufficiently filter the pane title when re-rendering the live preview.

This vulnerability is mitigated by the fact that an attacker must have permission to add or edit Panels panes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Panopoly Magic 7.x-1.x versions prior to 7.x-1.17.

Drupal core is not affected. If you do not use the contributed Panopoly Magic module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Panopoly Magic project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-046 - Taxonomy Tools - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 19:18
Description

Taxonomy Tools module provides alternative ways of managing taxonomy terms.

The module doesn't sufficiently escape node and taxonomy term titles when displaying them, allowing a malicious user to inject code.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit nodes or taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Taxonomy Tools 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Taxonomy Tools module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Taxonomy Tools project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-045 - Node Access Product - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 19:18
Description

The Node Access Product module provides 'Node access' settings for product nodes, whereby users who purchase the product are granted view access to content, which can be predefined either by taxonomy, by node, or by Views.

The module doesn't sufficiently sanitize node titles leading to the possibility of cross-site scripting by an attacker.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Node Access Product

Drupal core is not affected. If you do not use the contributed Node Access Product module, there is nothing you need to do.

Solution

If you use the Node Access Product module you should uninstall it.

Also see the Node access product project page.

Reported by Fixed by
  • Not applicable.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-044 - Taxonomy Path - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 16:21
Description

Taxonomy Path module enables you to create custom links to taxonomy terms within a display mode.

The module doesn't sufficiently sanitize user provided text in the provided "Link to path" field formatter, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create/edit taxonomy terms.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Taxonomy Path 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Taxonomy Path module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Taxonomy Path project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-043 - Commerce Balanced Payments - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 16:18
Description

Commerce Balanced Payments module integrates Drupal Commerce with the Balanced Payments third-party service.

The module doesn't sufficiently sanitize user supplied text in the Bank Account Listing Page, thereby exposing a Cross Site Scripting vulnerability.

Also, some URLs were not protected against CSRF. A malicious user can cause another user to delete their configured bank accounts by getting their browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Commerce Balanced Payments.

Drupal core is not affected. If you do not use the contributed Commerce Balanced Payments module, there is nothing you need to do.

Solution

If you use the Commerce Balanced Payments module you should uninstall it.

Also see the Commerce Balanced Payments project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-042 - Node basket - Multiple vulnerabilities - Unsupported

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 16:09
Description

Node basket module enables you to pick up nodes in a basket.

The module doesn't sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a user with permission to create/edit nodes.

Also, the module has CSRF vulnerabilities. A malicious user can cause another user to add/remove nodes of the basket by getting his browser to make a request to a specially-crafted URL.

Also, the module has an Open Redirect vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All versions of Node basket module.

Drupal core is not affected. If you do not use the contributed Node basket module, there is nothing you need to do.

Solution

If you use the Node basket module you should uninstall it.

Also see the Node basket project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2015-041 - Feature Set - Cross Site Request Forgery (CSRF) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 16:00
Description

Feature Set module enables you to enable or disable sets of features or modules.

The module doesn't sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to enable and disable modules by getting the administrator's browser to make a request to a specially-crafted URL.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions of Feature Set module.

Drupal core is not affected. If you do not use the contributed Feature Set module, there is nothing you need to do.

Solution

If you use the Feature Set module you should uninstall it.

Also see the Feature Set project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-040 - Webform prepopulate block - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 15:55
Description

Webform prepopulate block module enables you to set a webform component to display in a separated block.

The module doesn't sufficiently sanitize user supplied text when displaying the block, thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Webform prepopulate block 7.x-3.0

Drupal core is not affected. If you do not use the contributed Webform prepopulate block module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform prepopulate block project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-039 - Views - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 02/11/2015 - 15:53
Description

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

Open redirect vulnerability

The module does not sanitize user provided URLs when processing the page to break the lock on Views being edited, thereby exposing an open redirect attack vector.

This vulnerability is mitigated by the fact that the Views UI submodule must be enabled.

Access bypass vulnerability

The module does not protect the default Views configurations that ship with the module sufficiently, thereby exposing possibly protected information to unprivileged users.

This vulnerability is mitigated by the fact that it only affects sites that have not granted the common "access content" or "access comments" permission to untrusted users. Furthermore, these default views configurations are disabled by default and must be enabled by an administrator.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Views 6.x-2.x versions prior to 6.x-2.18.
  • Views 6.x-3.x versions prior to 6.x-3.2.
  • Views 7.x-3.x versions prior to 7.x-3.10.

Drupal core is not affected. If you do not use the contributed Views module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Views project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2015-038 - Facebook Album Fetcher - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/04/2015 - 18:38
Description

Facebook Album Fetcher module allows you to fetch Facebook albums from a Facebook account.

The module incorrectly prints fields without proper sanitization thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "access administration pages".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions of Facebook Album Fetcher.

Drupal core is not affected. If you do not use the contributed Facebook Album Fetcher module,
there is nothing you need to do.

Solution

If you use the Facebook Album Fetcher module you should uninstall it.

Also see the Facebook Album Fetcher project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-037 - Path Breadcrumbs - Access Bypass

Drupal Contrib Security Announcements - Wed, 02/04/2015 - 18:02
Description

This module enables you to configure breadcrumbs for any Drupal page.

The module doesn't check node access on 403 Not Found pages. As a result, unpublished content data can be shown to unprivileged user.

This vulnerability is mitigated by the fact that it is possible to configure proper access control in Path Breadcrumbs items with “Selection Rules” from the UI.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Path Breadcrumbs 7.x-3.x versions prior to 7.x-3.2

Drupal core is not affected. If you do not use the contributed Path Breadcrumbs module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Path Breadcrumbs project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-036 - Public Download Count - Cross Site Scripting (XSS) - Unsupported

Drupal Contrib Security Announcements - Wed, 02/04/2015 - 17:39
Description

Public Download Count module keeps track of file download counts.

The module doesn't sufficiently sanitize user supplied text in the Download counts report page thereby exposing a Cross Site Scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • All versions of Public Download Count module.

Drupal core is not affected. If you do not use the contributed Public Download Count module,
there is nothing you need to do.

Solution

If you use the Public Download Count module you should uninstall it.

Also see the Public Download Count project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-035 - Ajax Timeline - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/04/2015 - 17:22
Description

Ajax Timeline module enables you to display a vertical timeline of nodes based off a date field or created date of the configured nodes.

The module doesn't sufficiently escape node titles when displaying the timeline, allowing a malicious user to inject code.

This vulnerability is mitigated by the fact that an attacker must have a role with permission to create or edit nodes of the type configured for the timeline.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Ajax Timeline 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Ajax Timeline module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Ajax Timeline project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2015-034 - Commerce WeDeal - Open Redirect

Drupal Contrib Security Announcements - Wed, 02/04/2015 - 17:13
Description

Commerce WeDeal module enables you to do Commerce payments through the payment provider WeDeal.

The module doesn't sufficiently check a query parameter used for page redirection, thereby leading to an Open Redirect vulnerability.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Commerce WeDeal 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed Commerce WeDeal module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Commerce WeDeal project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Pages