[IT-SecNots] [Security-news] Commerce invoices - Highly Critical - SQL Injection and Cross Site scripting - DRUPAL-SA-CONTRIB-2017-070

[security-news AT drupal.org]

View online: https://www.drupal.org/node/2905691

  * Advisory ID: DRUPAL-SA-CONTRIB-2017-070
  * Project: Commerce Invoices [1]     (third-party module)
  * Version: 7.x
  * Date: 2017-August-30
  * Security risk: 20/25 ( Highly Critical)
    AC:None/A:None/CI:All/II:Some/E:Theoretical/TD:All [2]
  * Vulnerability: Cross Site Scripting, SQL Injection

-------- DESCRIPTION
---------------------------------------------------------

Commerce Invoices allows you to enter an Invoice number, Company name and
Amount and it will generate an Invoice that the client can pay on your site
using any payment method supported by Drupal commerce.

-------- SQL INJECTION
-------------------------------------------------------

The module did not properly use Drupal's database API when querying the
database with user supplied values, allowing an attacker to send a specially
crafted request to modify the query or potentially perform additional
queries.

The vulnerability is mitigated by the fact that the attacker must have the
'access checkout' permission - this permission is commonly granted.

-------- STORED CROSS SITE SCRIPTING (XSS)
-----------------------------------

The module did not filter user-supplied text prior to printing that text back
to users of the site.

The vulnerability is mitigated by the fact that the attacker must have the
'access checkout' permission - this permission is commonly granted.


-------- CVE IDENTIFIER(S) ISSUED
--------------------------------------------

  * /A CVE identifier [3] will be requested, and added upon issuance, in
    accordance with Drupal Security Team processes./

-------- VERSIONS AFFECTED
---------------------------------------------------

  * All Commerce invoice versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Commerce
Invoices [4] module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

Install the latest version:

  * If you use the Commerce invoice module for Drupal 7.x, upgrade to 
Commerce
    invoice 7.x-1.1 [5]

Special note: the module's strings have changed. Any site that uses Drupal's
localization system should review and update the translated strings on the
site.

Also see the Commerce Invoices [6] project page.

-------- REPORTED BY
---------------------------------------------------------

  * Jean-Francois Hovinne [7]

-------- FIXED BY
------------------------------------------------------------

  * Samuel Solís [8] the module maintainer
  * Jean-Francois Hovinne [9] of the Drupal Security Team
  * Greg Knaddison [10] of the Drupal Security Team

-------- COORDINATED BY
------------------------------------------------------

  * Greg Knaddison [11] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at https://www.drupal.org/contact [12].

Learn more about the Drupal Security team and their policies [13], writing
secure code for Drupal [14], and  securing your site [15].

Follow the Drupal Security Team on Twitter at
https://twitter.com/drupalsecurity [16]


[1] https://www.drupal.org/project/commerce_invoices
[2] https://www.drupal.org/security-team/risk-levels
[3] http://cve.mitre.org/
[4] https://www.drupal.org/project/commerce_invoices
[5] https://www.drupal.org/project/commerce_invoices/releases/7.x-1.1
[6] https://www.drupal.org/project/commerce_invoices
[7] https://www.drupal.org/user/139209
[8] https://www.drupal.org/user/1232954
[9] https://www.drupal.org/user/139209
[10] https://www.drupal.org/user/36762
[11] https://www.drupal.org/user/36762
[12] https://www.drupal.org/contact
[13] https://www.drupal.org/security-team
[14] https://www.drupal.org/writing-secure-code
[15] https://www.drupal.org/security/secure-configuration
[16] https://twitter.com/drupalsecurity

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news