Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046


Chronologisch Thread 
    < Chronologisch >      < Thread >
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046
  • Date: Wed, 11 Jul 2018 17:05:06 +0000 (UTC)
  • List-archive: <http://lists.drupal.org/pipermail/security-news/>
  • List-id: <security-news.drupal.org>
View online: https://www.drupal.org/sa-contrib-2018-046

Project: Commerce Custom Order Status [1]
Date: 2018-July-11
Security risk: *Moderately critical* 13∕25
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
Vulnerability:  Cross Site Scripting

Description: 
Commerce Custom Order Status provides forms for administrators to add, edit,
and delete order statuses from the order settings screen.

The module doesn't sufficiently sanitize the output of the status names.

This vulnerability is mitigated by the fact that an attacker must have a role
with the "configure order settings" permission.


Solution: 
Install the latest version:

* If you use the Commerce Custom Order Status module for Drupal 7.x, upgrade
to Commerce Custom Order Status 7.x-1.1 [3]

Also see the Commerce Custom Order Status [4] project page.

Reported By: 
* bucefal91 [5]

Fixed By: 
* bucefal91 [6]
* Fabien Leroux [7]

Coordinated By: 
* Greg Knaddison [8] of the Drupal Security Team


[1] https://www.drupal.org/project/commerce_custom_order_status
[2] https://www.drupal.org/security-team/risk-levels
[3]
https://www.drupal.org/project/commerce_custom_order_status/releases/7.x-1.1
[4] https://www.drupal.org/project/commerce_custom_order_status
[5] https://www.drupal.org/user/504128
[6] https://www.drupal.org/user/504128
[7] https://www.drupal.org/user/407852
[8] https://www.drupal.org/u/greggles

_______________________________________________
Security-news mailing list
Security-news AT drupal.org
Unsubscribe at https://lists.drupal.org/mailman/listinfo/security-news

  • [IT-SecNots] [Security-news] Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046, security-news, 11.07.2018

Archiv bereitgestellt durch MHonArc 2.6.19.

Seitenanfang