Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085
  • Date: Wed, 29 Nov 2017 18:47:30 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2017-085

Project: MoneySuite [1]
Version: 7.x-10.x-dev
Date: 2017-November-29
Security risk: *Moderately critical* 14∕25
AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Default [2]
Vulnerability: Access bypass

Description: 
MoneySuite provides a set of modules for Drupal sites that rely on the sale
of memberships and/or content for revenue.

The modules have an access bypass vulnerability which allows untrusted users
(including anonymous users) to view payments made by users within the system.
No data can be modified, nor are any credit card numbers displayed.

Solution: 
Install the latest version:

* If you use the MoneySuite module for Drupal 7.x, upgrade to MoneySuite
7.x-10.4 [3]

Reported By: 
* Anthony Lindsay [4]

Fixed By: 
* Anthony Lindsay [5]
* Clive Murden [6] the module maintainer
* Farreres [7] the module maintainer

Coordinated By: 
* David Rothstein [8] of the Drupal Security Team


[1] https://www.drupal.org/project/moneysuite
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/moneysuite/releases/7.x-10.4
[4] https://www.drupal.org/u/anthonylindsay
[5] https://www.drupal.org/u/anthonylindsay
[6] https://www.drupal.org/u/clivem
[7] https://www.drupal.org/u/farreres
[8] https://www.drupal.org/user/124982

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] MoneySuite - Moderately critical - Access bypass - SA-CONTRIB-2017-085, security-news, 29.11.2017

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang